Phase II of the GNSS Evolutionary Architecture Study February 2010

This Report contains preliminary technical information only and does not represent official US Government, FAA, or GNSS Program Office positions or policy, except where explicitly stated, quoted, or referenced.

Phase II of the GNSS Evolutionary Architecture Study

February 2010

This Report contains preliminary technical information only and does not represent official US Government, FAA, or GNSS Program Office positions or policy, except where explicitly stated, quoted, or referenced.

1 GNSS Evolutionary Architecture Study Phase II Report

Executive Summary ...... 5 1. Introduction...... 10 1.1. Objectives and Scope...... 10 1.2. Challenges for Satellite Navigation ...... 11 1.3. Today’s Single Frequency Technologies for Aviation ...... 12 1.3.1. Receiver Autonomous Integrity Monitoring (RAIM)...... 12 1.3.2. Satellite-based Augmentation System (SBAS)...... 13 1.3.3. Ground Based Augmentation System (GBAS)...... 14 1.3.4. Single Frequency Summary...... 15 1.4. Pending Changes in the GNSS Ecosystem ...... 16 1.4.1. Dual Frequency Diversity...... 16 1.4.2. New Global Navigation Satellite Systems...... 17 1.4.3. Increased Integrity of the Core Constellations...... 19 1.5. Recommendations and Outline...... 21 1.5.1. Dual Frequency WAAS ...... 22 1.5.2. Dual Frequency GBAS ...... 23 1.5.3. Advanced RAIM (ARAIM)...... 24 1.5.4. Schedule Risk...... 26 1.6. Future Work for ARAIM Development ...... 27 1.6.1. Generation and Validation of the Integrity Support Message ...... 27 1.6.2. ARAIM Threats and Potential Mitigation ...... 27 1.6.3. Data Links and Format for the ISM...... 28 1.6.4. New Performance Requirements ...... 29 1.6.5. High Fidelity Prototyping ...... 29 1.6.6. Chronology ...... 30 1.6.7. Alternate Navigation...... 30 2. LPV-200 Requirements and Threats...... 31 2.1. Performance Requirements to Support LPV-200 Capability...... 31 2.1.1. Probability of Hazardously Misleading Information (HMI)...... 31 2.1.2. False Alert Probability Requirement ...... 31 2.1.3. Effective Monitor Threshold (EMT) ...... 32 2.1.4. 95th Percentile Accuracy of the Vertical Position Error (VPE) ...... 32 2.2. GNSS Fault Causes and Effects...... 33 2.2.1. Faults in the Space and Ground Segments...... 33 2.2.2. Faults in the User Equipment and Signal Propagation Errors ...... 33 2.2.3. Fault Probabilities and Time to Alert...... 34 2.3. Single Faults Versus Multiple Faults...... 34 2.3.1. Effects of Multiple Signal Faults on Advanced RAIM ...... 35 2.3.2. Historical Observations of Multiple Fault Conditions...... 35 2.3.3. Potential Causes of Consistent or Multiple Faults...... 35 2.3.4. Treatment of Multiple Faults in This Report ...... 37 3. ARAIM Basic Concept and Proposed VPL Equations...... 38

2 3.1. Assumptions...... 39 3.1.1. Satellite Ranging Error Characteristics...... 39 3.1.2. URE...... 39 3.1.3. URA ...... 40 3.1.4. Bias in Range Measurements...... 40 3.1.5. Airborne Error Model ...... 40 3.1.6. Satellite Integrity Failure Models ...... 40 3.1.7. Pr{HMI} Requirement Allocation...... 41 3.2. ARAIM Concept...... 42 3.2.1. ARAIM Algorithm...... 42 3.2.2. ARAIM Availability...... 45 3.2.3. Optimization of ARAIM for Improved Availability ...... 45 3.3. Proposed VPL Equations ...... 46 3.4. Multi-Constellation ARAIM...... 48 3.4.1. Background...... 48 3.4.2. Multi-constellation ARAIM formulas ...... 49 3.4.3. Inter-Constellation Comparisons...... 50 4. ARAIM Performance and Availability Results ...... 52 4.1. ARAIM Availability Results ...... 52 4.2. Impact of Correlated Faults on the ARAIM Integrity Performance...... 57 5. ARAIM Support: Ground Monitoring and Data Link ...... 60 5.1. Ground Monitoring...... 60 5.1.1. Ground Monitoring by a Single Station...... 62 5.1.2. Ground Monitoring by a Network ...... 63 5.2. Message Content...... 63 5.3. Data Links and Message Structures...... 63 5.3.1. Candidate Data Links...... 64 5.3.2. Message Structure and Capacity...... 64 6. Validation of the URA...... 66 6.1. Evaluation Criteria...... 66 6.1.1. Existing Statements...... 66 6.1.2. URE Performance Criteria...... 67 6.2. Validation Method...... 68 6.2.1. IURE Computation Method...... 69 6.2.2. Performance Test...... 70 6.3. Preliminary Results...... 70 7. Preliminary ARAIM/ISM Prototype Plan ...... 74 7.1. Overview...... 74 7.2. End State Objectives...... 74 7.3. Evolution of Existing Prototyping Capabilities ...... 75 7.3.1. Current Capabilities...... 75 7.3.2. Necessary Future Capabilities...... 78 7.4. Development Plan...... 79 7.4.1. Developing the full ARAIM algorithm for a single constellation ...... 80 7.4.2. Developing the full ISM ...... 81 7.4.3. Mitigations of threats...... 82

3 7.4.4. Studying the ground network and multiple constellations...... 84 7.5. Conclusions...... 86 8. Single Constellation ARAIM Considerations for the U.S. Military...... 87 8.1. Differences Between Civil and Military Applications of ARAIM...... 87 8.1.1. Dual Frequency...... 87 8.1.2. Availability Requirements ...... 87 8.1.3. Smaller Set of Users and Receiver Types...... 88 8.1.4. Integration with Other Sensors – Use of Relative RAIM...... 88 8.2. RRAIM-Extended ARAIM (ERAIM) ...... 88 8.2.1. ERAIM Positioning Algorithm...... 89 8.2.2. Time-differenced Carrier-phase Measurement Error Model ...... 91 8.2.3. ERAIM Fault Detection Algorithm ...... 92 8.3. Availability results using ARAIM and ERAIM ...... 94 Appendix A. GPS III Integrity Enhancements ...... 97 A.1 Space/Control Implementation ...... 98 A.2 Signal-In-Space (SIS) Implementation ...... 98 A.3 Receiver Implementation ...... 99 A.4 Development Assurance ...... 99 Appendix B. GNSS Performance Characteristics and Information Needed to Support ARAIM for LPV-200...... 101 B.1 General GNSS Characteristics and Information ...... 101 B.2 Characteristics and Information to Support LPV-200 Integrity...... 102 B.3 Characteristics and Information to Support LPV-200 Continuity ...... 104 B.4 Characteristics and Information to Support LPV-200 Accuracy ...... 104 B.5 Characteristics and Information to Support LPV-200 Availability ...... 105 Appendix C. Candidate Mitigations of Consistent or Other Multiple-Signal Fault Conditions...... 106 C.1 Condition 1: Algorithm Performance Is Adequate ...... 107 C.2 Condition 2: Range Residuals are Not Corrupted...... 108 C.3 Condition 3: The Implementation is Consistent with the Intended Algorithm 108 C.4 Implementing Checks for Multiple-Signal Fault Conditions in GNSS Master Control Stations Vs. in a GNSS Civil Monitoring System...... 109 C.5 Algorithm For Detecting Consistent Faults Associated With Incorrect Earth Orientation ...... 110 Appendix D. List of GNSS Evolutionary Architecture Study Panel Members...... 115 References...... 116

4 Executive Summary

This report provides an evolutionary path to support seamless air navigation worldwide based on the Global Navigation Satellite System (GNSS)1. This GNSS based plan would provide support for en-route flight, terminal area flight and Lateral Navigation (LNAV) approach operations. It would also provide support for precision approach based on lateral and vertical guidance that can be used down to altitudes of 200 feet. These precision approach procedures are called LPV or LPV-200 approaches. LPV stands for Localizer Performance with Vertical guidance, and LPV-200 indicates that the decision height is 200 feet above ground level. The report defines a path to provide LPV-200 capability worldwide even at airports without local GNSS instrumentation. Thus the overarching objective is to attain the safety and efficiency benefits associated with vertical guidance at virtually all airfields worldwide.

This report builds on the foundation provided by the Global Positioning System (GPS), which is the most mature member of the GNSS. At the end of 2009, GPS included 30 operational satellites that typically exhibit operational lifetimes of ten to fifteen years. The report also takes advantage of the planned dual frequency broadcast (L1/L5) from GPS and a new set of GNSS constellations including: Galileo, the Global Navigation Satellite System (GLONASS), Compass, the Quasi-Zenith Satellite System (QZSS) and the Indian Regional Navigation Satellite System (IRNSS). The evolution described herein also leverages the increased interest in integrity by the providers of these core GNSS services. It provides a structure that allows all of these new capabilities to be smoothly integrated for the benefit of aviation. The scope of the report is limited to the two decades from 2010 to 2030. Thus, while the GNSS Evolutionary Architecture Study (GEAS) is aware of the ongoing GPS III effort, the report does not consider GPS IIIC which may provide increased built-in integrity in the post 2030 timeframe.

To achieve worldwide LPV-200 capability, the report provides a path to obviate the four continuing challenges that must be addressed by the aviation use of GPS or any GNSS. Specifically, the evolutionary path is structured to address the following challenges: • faults • rare normal conditions including those due to space weather • constellation weakness and • radio frequency interference (RFI) and scintillation

Faults arise from within any navigation system. Historically, “major service faults” have occurred approximately three times per year for GPS. These faults can lead to Hazardously Misleading Information (HMI), and may not be detected within the aviation time-to-alert as part of normal GPS operations. Rare normal conditions also occur. For satellite navigation, they are most frequently associated with adverse space weather that generates ionospheric storms. These storms, which can persist for hours, can also introduce dangerous guidance errors. Constellation weakness would mean that the

1 The individuals who contributed to this report are listed in Appendix D.

5 GNSS does not have the number of satellites needed to support key aircraft operations. Today, GPS has 30 operational satellites, and this constellation strength virtually guarantees that every user has an adequate number of satellites in view at all times. However, an unexpected spate of satellite failures could weaken any of the GNSS constellations and replenishment could take years. RFI, intentional or unintentional, can result in GNSS outages, because terrestrial signals can readily overwhelm the signals coming from the GNSS satellites. RFI events can be accidental. They can also be due to scheduled activities such as U.S. Department of Defense (DoD) testing. Finally, they can be malevolent and intended to deny navigation service. Ionosphere scintillation occurs naturally and can affect either amplitude or phase of the signal.

These four challenges limit the performance of today’s GPS based systems. Any one of them can lead to interruptions of service, sometimes for extended periods, and can prevent an aircraft from initiating or completing an approach procedure. The mitigation of these four above-described challenges is the underlying theme of this report. Ultimately, GNSS will be fully accepted as a worldwide navigation aid for civil aircraft only when: powerful sovereign techniques allow any nation-state to mitigate GNSS faults and rare normal events; the impact of weakness in any single GNSS satellite constellation is null; and radio frequency interference, even malevolent, causes no substantive disruption to operations.

GNSS today: GPS is the sole GNSS constellation in widespread use by aviation. GPS faults do occur and rare normal conditions have certainly been observed. At present, these events are addressed either by aircraft autonomous techniques or with external monitors that compare GPS measurements to ground truth and broadcast error information to the airborne fleet in real-time.

Receiver Autonomous Integrity Monitoring (RAIM) is so named because the GPS receiver in the aircraft performs self-contained fault detection. RAIM compares each satellite measurement to the consensus of other available satellite measurements. In this way, RAIM detects the presence of a faulty satellite within the current set of in-view satellites. RAIM is used to support supplemental navigation in the en route and terminal area phases of flight and is also used to support lateral guidance during the approach phase of flight (in LNAV approaches). At present, RAIM cannot support vertical navigation. As will be discussed, this report defines an architectural path to remove this restriction when multiple GNSS constellations become available.

Both Satellite-based Augmentation Systems (SBAS) and Ground-based Augmentation Systems (GBAS) have been developed to provide GPS corrections plus error bounds in real time. Unlike RAIM, these systems detect faults by comparing GPS measurements to an established ground truth. SBAS is based on continental networks of reference receivers at surveyed locations. SBAS data supports navigation for en route and terminal area flight. It also supports non-precision approach and, generally, LPV-200 for all airports located inside the reference network. GBAS utilizes a mini-network of reference receivers placed entirely on the airport property. Hence one GBAS supports precision

6 approach and landing solely at the instrumented airport. It will also support navigation in the terminal area that surrounds the airport.

RAIM, SBAS and GBAS all detect faults and rare normal events. However, they are all vulnerable to signal interference because the current implementations are based on the single GPS broadcast frequency at L1. In addition, all three approaches are degraded to varying degrees by constellation weakness. RAIM is the most vulnerable since it depends on satellite to satellite comparisons in the aircraft. Roughly speaking, it requires 28 satellites to support lateral navigation during approach operations. The current GPS constellation has approximately 30 satellites, but the DoD guarantee for civil users is 21 healthy satellites with at least 0.98 probability. SBAS and GBAS are less vulnerable to constellation weakness because each detect and isolate faults based on the use of ground truth. However, even these systems would suffer reduced availability and increased continuity risk if the GPS constellation were reduced below 23 operational satellites.

For these reasons, another generation of GPS-based avionics is envisaged and needed. This next wave of equipment will leverage three profound changes within the GNSS: dual frequency diversity (L1/L5); new (or rejuvenated) satellite navigation systems from Europe, Russia and China; and the increased interest in integrity by the providers of these core GNSS services.

Our recommendations leverage these improvements and initiatives as follows.

Dual frequency SBAS and GBAS: The deployment of dual frequency SBAS should continue apace, and dual frequency GBAS should be developed. Beginning in 2010, all new GPS satellites will broadcast ranging signals for civil use on two aeronautical frequencies rather than one. These frequencies are designated L1 (1575.42 MHz) and L5 (1176.45 MHz). Both of these frequencies lie within portions of the radio spectrum that are allocated to the Aeronautical Radionavigation Service (ARNS) and Radionavigation Satellite Service (RNSS). Thus, this frequency diversity will enable second generation SBAS and GBAS avionics to remove the effect of ionospheric propagation induced errors autonomously and thus obviate the most troublesome aspect of space weather – ionospheric storms. Today, these storms cause continuity breaks and availability outages for SBAS and GBAS. Dual frequency diversity will also diminish the impact of accidental or scheduled radio frequency interference on SBAS and GBAS.

Advanced RAIM (ARAIM): The development of advanced RAIM should continue. As mentioned above, receiver autonomous integrity monitoring (RAIM) only supports lateral navigation. If developed, ARAIM would also support vertical guidance for precision approach. This extension would be based on the frequency diversity (L1/L5) described above and geometric diversity from the new GNSS constellations. Indeed, the European GNSS, Galileo, has moved forward with the launch of two prototype satellites, the development of four in-orbit validation satellites, and the recent award for a contract for 14 operational satellites in early 2010. The Russian system, GLONASS, has recently been rejuvenated after years of decline. The Chinese GNSS, Compass, will add Medium

7 Earth Orbit (MEO) satellites to an existing set of geostationary satellites in order to extend its regional coverage worldwide.

Even with frequency and geometric diversity, ARAIM will need to provide a deeper level of safety assurance than the first generation of RAIM used for lateral navigation, because vertical guidance is associated with a severe major hazard level. This increased scrutiny applies during development and in operation. ARAIM development needs to consider less likely threats to GNSS than the first generation of RAIM. Such threats are posited in this report. However, they have not been fully analyzed; nor have proposed mitigations been validated. This needed work is outlined in this report.

GNSS scrutiny must continue beyond system development into the operation of the system. This report recommends the use of an Integrity Support Message (ISM). In essence, this message conveys the safety assertions associated with each of the core GNSS to the sovereign responsible for a given airspace. These messages would contain performance estimates for each satellite to be used for air navigation. They would contain standard deviations that over bound the distribution of the satellite measurement errors and estimates of the a-priori failure rate for each satellite. In the near term, these messages could originate from a suitably modified SBAS or GBAS. In the longer term, they could originate from the GNSS control segments. These possibilities are described in this report.

The recommended ARAIM path would combine the signals from the forthcoming multiplicity of GNSS constellations. Importantly, it would also leverage the expressed interest of the GNSS service providers in increasing the safety-of-life utility of their basic satellite navigation systems. The U.S. targets the so-called GPS IIIC generation of satellites for initial integrity services in the decade following 2030, but some relevant improvements may occur earlier. For example, an on-satellite clock monitor will compare the performance of the multiplicity of onboard clocks and provide rapid exclusion of any faulted GPS clocks, beginning with the Block IIIA satellite. In addition, the Europeans have strived for a Safety-of-Life service from the onset of Galileo planning, and Russian interest is also quite clear. ARAIM provides a path to harmonize these embryonic plans and provide aviation benefits as soon as the core constellations become stronger or integrity properties become tangible. At the same time, the ARAIM- based capability would also accommodate degradations in the core constellations or the associated integrity performance. The ARAIM concept is not brittle: aviation will benefit from GNSS improvements without being sensitive to negative changes in the underlying constellations.

As mentioned above, ARAIM performance is not overly sensitive to variations in the strength of any of the individual constellations. This report finds that worldwide vertical guidance based on ARAIM is feasible using a joint constellation of 24 Galileo satellites and 21 GPS satellites. This finding provides relief from a major concern for aviation. Even though, the current GPS constellation consists of 30 satellites, the DoD guarantees only 21 operational satellites. Even this guarantee is stated using probabilistic terminology so weaker constellations are readily possible. Similarly, Galileo plans to

8 operate 30 satellites, but they may encounter the same budgetary constraints that influence GPS replenishment.

The development of ARAIM requires substantive effort and important technical issues remain. These issues are identified in the report and next steps are defined to address these concerns. To reduce these technical risks, civilian scientists and engineers should support dual frequency ARAIM techniques being developed to support vertical guidance for military aircraft. Indeed, ARAIM based on the GPS on the constellation alone does seem to make sense for military applications, because the availability requirement is lower and the military application is well served to guidance down to an altitude of 250 feet. For these reasons we expect military interest to continue. If the military interest does continue, their experience will certainly benefit the civil effort. In addition, international outreach and coordination should continue as a priority. The technical work should be coordinated based on the existing bilateral and multi-lateral mechanisms. Finally, this report recommends that alternate navigation remain as a priority to cope with RFI, be it accidental, scheduled or malevolent. This reversionary source of guidance needs to be totally independent of GNSS, and may be able to take advantage of new ground systems that are being installed for aircraft surveillance.

9 1. Introduction 1.1. Objectives and Scope

This report provides an evolutionary path to support seamless air navigation worldwide based on the Global Navigation Satellite Systems (GNSS). This GNSS based plan would provide support for en route flight, terminal area flight and non-precision approach operations. It would also provide support for precision approach based on lateral and vertical guidance that can be used down to altitudes of 200 feet. These precision approach procedures are called LPV or LPV-200 approaches. LPV stands for localizer performance with vertical guidance, and LPV-200 indicates that the decision height is 200 feet above ground level. The report provides a path to provide LPV-200 worldwide even at airports without local GNSS instrumentation. Thus it strives to attain the safety and efficiency benefits associated with vertical guidance to virtually all airfields worldwide.

This report identifies a way forward that builds on the foundation provided by the Global Positioning System (GPS), which is the most mature member of the GNSS. At the end of 2009, GPS included 30 operational satellites that typically exhibit operational lifetimes of ten to fifteen years. These satellites broadcast spread-spectrum ranging signals from medium earth orbit (MEO). Civilians have open access to the GPS Coarse/Acquisition (C/A) signal broadcast at the L1 frequency (1575.42 MHz). This single-frequency mode of operation typically provides five meter position accuracy, and this capability is available worldwide in all weather. The C/A broadcast is currently augmented to enable navigation for civil aviation, but another generation of GNSS equipment is needed to fully enable this important safety-of-life application.

This next generation of avionics should take advantage of the planned dual frequency broadcast (L1/L5) from GPS and a new (or rejuvenated) set of GNSS including: Galileo, GLONASS and Compass. The evolution should also leverage and harmonize the increased interest in integrity by the providers of these core GNSS services. The scope of the report is limited to the two decades from 2010 to 2030. Thus, it does not consider GPS IIIC which may provide increased built-in integrity in the post 2030 timeframe.

The remainder of this Introduction is structured as follows. Section 1.2 describes the four main technical challenges associated with the use of GNSS for aviation. Section 1.3 describes the satellite navigation technologies used by aviation in 2009. All of these technologies are based on airborne single frequency use of a single constellation. Specifically, airborne civil aviation equipment uses the L1 broadcast from GPS alone. Section 1.4 describes three pending advances in GNSS technology that we wish to harness for aviation use: new GPS signals at two aeronautical frequencies, L1 and L5; new GNSS deployments by Europe, Russia and China; and increased interest in integrity by the GNSS service providers. Section 1.5 lists our recommendations. It constitutes our best sense of how to combine the new GNSS advances to serve the interests of civil aviation worldwide. Section 1.5 also connects our recommendations to specific sections within the report. Finally, Section 1.6 discusses the future work that is needed to realize our recommendations. It also refers to specific sections in the body of the report.

10

1.2. Challenges for Satellite Navigation

This report identifies a path forward that obviates the four primary challenges that must be addressed by the use of GPS (or any GNSS for that matter) in the aviation application. Specifically, the evolutionary path is structured to address the following challenges.

Faults do arise from within the GNSS. In recent years, major service faults have occurred approximately three times per year for GPS. Many of these can be attributed to some form of clock runoff, where the signal broadcast by a given satellite is not properly synchronized to the signal from the other satellites in the constellation. Others have been due to an upload of faulty navigation data from the GPS control segment to the GPS satellites for broadcast to the users. Either of these types of faults can introduce positioning errors that are hazardous to aviation users. Moreover, in normal operation, GPS may not detect these threats for several hours. Key references include: [Warren, Creel, Jefferson, Cohenour, Guo, Phelts1, Mitelman, Edgar, Hsu, Van Dyke1, Van Dyke2].

Rare normal conditions can also introduce Hazardously Misleading Information (HMI). For satellite navigation, these conditions are frequently associated with adverse space weather that generates ionospheric storms. These storms can persist for hours while introducing dangerous guidance errors. Detection of ionospheric anomalies creates the largest restriction on operating regions and times for today’s single-frequency user of GPS based systems. Key papers that describe ionospheric effects on GPS include: [Klobuchar, Datta-Barua].

Constellation weakness would mean that too few well positioned satellites are operational in the GNSS constellation relative to the number needed to support key aircraft operations. Constellation strength means that the GNSS constellation is adequately replenished and that all key aircraft operations are adequately supported all of the time. In principle, GPS users only need four satellites to estimate their position. However, aircraft on approach typically need seven or more satellites to guarantee the performance needed to assure the safety of the operation. As mentioned earlier, GPS has approximately 30 operational satellites on orbit in late 2009. This constellation strength virtually guarantees that every approaching aircraft has an adequate number of satellites in view at all times. However, a spate of satellite failures in this aging constellation could weaken user geometry, and replenishment could take years to address. Indeed, the General Accounting Office (GAO) has recently published their concerns about the replenishment strategy for GPS [GAO]. Needless to say, similar difficulties could affect any of the GNSS constellations.

Radio frequency interference (RFI), intentional or unintentional, can readily result in GNSS outages. As mentioned above, the satellite signals originate in medium earth orbit, approximately 12,000 miles from the earth’s surface. GPS signals are received at the user background noise level. Hence these signals are weak and

11 readily overwhelmed by any of the multitude of signals emanating from terrestrial sources. RFI events can occur due to scheduled activities (e.g. DoD testing). They can be accidental or unintentional causing co-channel degradation. Finally, these RFI events can be malevolent and intended to deny service. In the past few years, several RFI incidents have occurred, and these have taken days or weeks to isolate and mitigate. A truly malevolent RFI event (i.e. jamming and spoofing) would be very problematic and could deny service for weeks. Key treatments in the open literature include: [Ward, Enge, RTCA DO-235, RTCA DO-292].

These challenges limit the performance of today’s GPS based systems. Any of these four challenges can lead to interruptions of service, sometimes for extended periods, and can prevent an aircraft from initiating or completing an approach procedure. The mitigation of these four above-described challenges is the underlying theme of this report. Ultimately, GNSS will be fully accepted as a worldwide navigation aid for civil aircraft only when: powerful sovereign techniques exist to mitigate GNSS faults and rare normal events; the impact of weakness in any single GNSS satellite constellation is null; and radio frequency interference, even malevolent, causes no substantive disruption to operations.

1.3. Today’s Single Frequency Technologies for Aviation

At present, GPS is the sole GNSS constellation in wide spread use by aviation. GPS faults do occur and rare normal conditions have certainly been observed. In 2009, these events are addressed by three technologies. First, Receiver Autonomous Integrity Monitoring (RAIM) is a fault detection mechanism that is contained within the avionics. RAIM requires an abundance of satellites, because it compares one satellite measurement to the consensus of the other available satellite measurements. Two other technologies use aircraft-external monitors that compare GPS measurements to ground truth and broadcast error information to the airborne users in real-time: Satellite-based Augmentation Systems (SBAS) and Ground-based Augmentation Systems (GBAS). We introduce all three techniques in the brief subsections that follow. For additional background, the Phase I report from the GEAS [GEAS] contains a deeper description of autonomous and ground-based fault detection. It also contains our first description of more sophisticated allocations of the integrity burden between the aircraft and the ground. This report builds on this earlier work.

1.3.1. Receiver Autonomous Integrity Monitoring (RAIM)

Receiver autonomous integrity monitoring (RAIM) is so named because the airborne receiver performs self-contained fault detection. RAIM compares each GPS measurement to the consensus of the other available GPS measurements. In this way, RAIM detects the presence of a faulty satellite within the current set of in-view satellites. The landmark papers on this technique are [Lee1, Brown, Axelrad]. In some circumstances, RAIM can also isolate which satellite is faulty or inconsistent with the other satellites in-view. In fact, the air transport industry has developed a variant of RAIM that includes fault isolation and integrates inertial navigation.

12

RAIM is used to support supplemental navigation in the en route and terminal area phases of flight, and is also used to support lateral guidance during the approach phase of flight (in LNAV approaches) [RTCA/DO-229D]. At present, RAIM cannot support vertical navigation. As will be discussed, this report defines an evolutionary path that would remove this restriction based on Advanced RAIM (ARAIM) [GEAS]. This extension anticipates the day when multiple GNSS constellations are available. This multiplicity of constellations would enrich the measurement environment enjoyed by the airborne receiver. It would enable the aircraft to autonomously detect the small faults or rare normal conditions that could threaten vertical guidance during approach. As such, ARAIM, as proposed herein, is an extension of the RAIM capability that has been in use by aviation for many years.

1.3.2. Satellite-based Augmentation System (SBAS)

Aircraft-external monitors form the basis of space-based augmentation systems (SBAS) and ground-based augmentation systems (GBAS). These external monitors process measurements from networks of GPS reference receivers at known locations on the ground. SBAS and GBAS provide corrections to the civil signals from GPS. They also provide error bounding data in real time. As such, both systems augment the GPS Standard Positioning System (SPS). Relative to RAIM, they do not require as many satellites in the GPS constellation for a given fault detection capability, because they detect faults by comparing GPS measurements to a surveyed ground truth. Also, SBAS and GBAS readily isolate the troublesome satellite, because every satellite in view is compared to ground truth.

SBAS is based on networks of reference receivers spread over continental areas. The reference receivers are strategically positioned to collect GPS satellite data across the region to be served. These reference receivers measure the GPS signal-in-space (SIS), and these measurements are backhauled to redundant master stations. The master stations calculate errors in the GPS signal, and these error estimates are used to create corrections to the GPS measurements. Importantly, SBAS also provides real time error bounding data for these corrections. The corrections and error data are both valid over the continental area spanned by the reference network and so they are broadcast to suitably equipped aircraft using satellites in the Geostationary Earth Orbit (GEO). This GEO broadcast of SBAS data uses spread spectrum signals within the same L1 band used by GPS. These satellites can also provide an additional GPS-like ranging capability that further augments GPS.

The SBAS corrections improve the accuracy of GPS from approximately five meters to better than one meter. The associated error bounding data enables SBAS avionics to overbound the positioning error in real time. In fact, the error bounding data is updated often enough to support a six second time-to-alert against any potentially hazardous navigation information.

13 Operationally, SBAS supports en route and terminal area navigation. It also supports non-precision approach and, in some implementations, vertically aided approaches including LPV-200. As mentioned earlier, LPV-200 indicates that the decision height is 200 feet above ground level. Importantly, the geostationary broadcast cannot carry the path points for all of these approach procedures. This data is conveyed to the aircraft in a data base that is uploaded on the ground. Taken together, the SBAS capabilities: (a) improve safety by reducing controlled flight into terrain on approach; (b) increase the number of runway ends that have approach procedures; and (c) support Area Navigation (RNAV) en route for aircraft that are not capable of inertial navigation and /or flight management systems.

For the above listed reasons, the United States has operated an SBAS for North America since 2003, and this system is called the Wide Area Augmentation System (WAAS). In fact, WAAS has a long history of support from within the Federal Aviation Administration beginning with a Mission Need Statement, The Application of Satellite Navigation Capability for Civil Aviation, June 30, 1992 (revalidated September 1997). This support has been reiterated several times. (FAA, 1996; FAA, Sept. 2007; FAA, Sept 2002; FAA, 2006). In the language of the present report, WAAS enjoys this support, because it mitigates the faults and rare normal events that trouble the use of stand-alone GPS. With the use of the GEO satellites, it also reduces aviation’s sensitivity to the strength of the GPS constellation. In the United States some 30,000 aircraft are currently equipped with suitable avionics, and approximately 1900 runways across the United States have LPV approach procedures based on WAAS. In addition, WAAS has enabled the development of many missed approach procedures, and departure guidance for numerous runway ends and heliport/helipads in the National Airspace System.

SBAS is also being developed in Europe, Japan, India and Russia. The European Geostationary Navigation Overlay Service (EGNOS) is an SBAS that covers most of Europe. The MTSAT Satellite Augmentation System (MSAS) exists for the Japanese islands and the surrounding Asia-Pacific area. India is deploying the GPS and GEO Augmented Navigation (GAGAN), and Russia has also discussed plans to deploy SBAS.

1.3.3. Ground Based Augmentation System (GBAS)

As with SBAS, GBAS is based on measurements from GPS reference receivers at surveyed locations. In contrast to the wide area or regional distribution of SBAS reference stations, GBAS utilizes a small number of reference receivers with antennas placed close together on the property of a single airport. Hence, one GBAS installation serves a single airport and the surrounding terminal area by broadcasting GPS corrections and error bounds to the aircraft via a VHF Data Broadcast (VDB) from the host airport. This VDB provides reliable coverage within 45 km of the airport.

GBAS differs from SBAS because GPS measurements are made at only one location, and GBAS corrections and error bounds are intended to cover only that locality. Measurements made by four reference receivers are averaged together to produce pseudorange corrections and correction rates for all satellites in view, while “B-values”

14 are computed to detect and isolate failed reference receivers whose measurements diverge from the consensus of the remaining receivers. In parallel, a series of monitors are used to detect potential satellite clock, ephemeris, and signal failures, while specialized monitoring and geometry screening are used to mitigate the threat of ionospheric spatial anomalies that could make GBAS corrections significantly erroneous at nearby user aircraft.

The GPS corrections broadcast by GBAS improve the accuracy of GPS from approximately five meters to better than 0.5 meters. The associated error bounding data enables GBAS avionics to overbound rare-event position errors in real time. GBAS error bounds are updated every 0.5 seconds, and thus have the potential to meet the time-to- alert requirements for all categories of precision approach. Category I installations will begin to become operational in 2010, and Category II and III systems are planned for 2014 – 2015.

The air transport industry has worked diligently to develop GBAS for the following reasons. First, the VDB data includes the path points for the GBAS landing procedures at the given airport. This avoids the need for a separate data base that contains the path points. In addition, GBAS is ultimately capable of supporting Category II and III landings, while this capability is not planned for SBAS. For these reasons and others, Boeing and Airbus plan to install GBAS avionics in the B-737NG, B-787, B747-8, A-320 and A-380. They state that they have over 1000 aircraft orders that include GBAS avionics.

In the United States, GBAS is also known as the Local Area Augmentation System (LAAS). LAAS has recently emerged from the research phase. In the Fall of 2009, the FAA approved the GBAS ground system manufactured by Honeywell for Category I operations. More specifically, the Honeywell product received System Design Approval (SDA). This approval should trigger several near-term installations of GBAS ground systems in the United States, including Newark, Memphis, Minneapolis, and Olathe. Several other ground system manufacturers exist worldwide, and the worldwide interest in GBAS installation is strong. Finally, GBAS is also capable of supporting navigation in the terminal area surrounding the instrumented airport. This capability is under development.

1.3.4. Single Frequency Summary

RAIM, SBAS and GBAS all detect satellite faults, SBAS and GBAS also detect rare normal events. However, these technologies are all vulnerable to RFI, because the current implementations are based on the single GPS broadcast frequency at L1. Thus, radio frequency interference at L1 would likely introduce a break in the continuity of service. In addition, all three technologies are degraded to varying degrees by constellation weakness. RAIM is the most vulnerable since it depends on satellite to satellite comparisons in the aircraft. Roughly speaking, it requires 28 satellites to support lateral navigation during non-precision approach operations. The current GPS constellation has

15 approximately 30 satellites, but the DoD only guarantees 21 satellites. Even this guarantee is probabilistic, and so weaker constellations could be envisaged. SBAS and GBAS are less vulnerable to constellation weakness because each detect and isolate faults based on the use of ground truth. However, even they would suffer reduced availability and increased continuity risk if the GPS constellation were reduced below 23 operational satellites.

For these reasons another generation of GPS-based avionics is envisaged and considered necessary. This next wave of equipment will leverage three profound changes in the GNSS ecosystem. These changes will allow our community to obviate rare normal errors caused by the ionosphere, accommodate constellation weakness, and significantly mitigate RFI. They are described in the next section.

1.4. Pending Changes in the GNSS Ecosystem

As mentioned above, this section describes three important changes in the GNSS ecosystem. This report provides a plan to harness these changes for the benefit of aviation.

1.4.1. Dual Frequency Diversity

Beginning in 2010, all newly launched GPS satellites will broadcast ranging signals for civil use on two aeronautical frequencies rather than one. These frequencies are designated L1 (1575.42 MHz) and L5 (1176.45 MHz). Importantly, both signals fall within the intersection of two radio bands: Aeronautical Radionavigation Service (ARNS) and Radionavigation Satellite Service (RNSS). Since they fall in both bands, they are suitable for use by aircraft. If they fell outside of either band, they would not have such applicability.

This dual-frequency diversity will enable the avionics to autonomously remove errors due to the effect of ionospheric propagation. As such, it will almost obviate the most troublesome aspect of space weather: ionospheric storms. Ionospheric storms include spatial gradients that may cause the SBAS and GBAS reference observations to be decorrelated from the airborne measurements. Thus today’s SBAS and GBAS must hedge against this possibility and vertical guidance is prone to lapses in availability or continuity, although LNAV approach is virtually unaffected. With dual-frequency diversity, the avionics will autonomously remove the ionosphere and these potential gradients will have virtually no effect on the GNSS range measurements.

In equatorial regions, ionospheric scintillation may still break continuity for dual frequency users. Unlike the gradients described above, scintillation is due to relatively small scale variations in the ionosphere. It causes rapid variations in the amplitude and phase of the received signal. The equatorial regime is most prone to amplitude scintillation while northern latitudes exhibit phase scintillation effects. These scintillation effects may affect L1 and L5 simultaneously. However, these effects usually only last for a fraction of a second. This brevity suggests that the impact of simultaneous

16 effects could be rendered insignificant provided that the avionics standards require the avionics to reacquire any lost signals within one or two seconds [Seo et al.].

Dual frequency diversity will also diminish the impact of accidental or scheduled radio frequency interference. If either L1 or L5 is overwhelmed by RFI, then the remaining frequency will form the basis for reversionary navigation though the level of service may be reduced. In addition, the L5 signal is intrinsically more resistant to RFI than the L1 signal. The interfering signal needs to be 20 times more powerful to overcome the L5 signal than the L1 signal. Hence, the geographic area impacted by an interfering radio transmitter is at least 20 times smaller at L5 than at L1.

The L5 signal resides in the same frequency band as signals from the extant network of Distance Measuring Equipment (DME) as well as other high-powered emitters [RTCA DO-292]. A few DME signals are not troublesome to GPS, because the DME signals are pulsed and GPS is very robust against pulsed interference. At high altitude, DME interference can measurably degrade airborne equipment performance in a very few locations worldwide [RTCA DO-292]. This difficulty is due to the aggregation of many visible DME transmitters at high altitude. Fortunately, this condition does not exist when the aircraft is on approach or landing, because the distant DME signals will be attenuated by propagation close to the Earth’s surface.

Dual frequency diversity will obviate the impact of accidental or scheduled RFI, but malevolent RFI will still be worrisome because terrestrial jammers can easily be designed to overwhelm both L1 and L5. The prospect of malevolent jamming requires the civil aviation community to retain a subset of today’s terrestrial navigation infrastructure. This topic is further addressed below as Future Work.

1.4.2. New Global Navigation Satellite Systems

New satellite navigation systems are under development and should complement GPS in the next decade [Hegarty]. These include systems from Europe, Russia, China, Japan and India. Like GPS, these three systems are based on 24 to 30 satellites in medium earth orbit. They will broadcast signals near the GPS L1 and L5 frequencies. These signals will fall in bands that are allocated to both ARNS and RNSS, and thus be useful to aviation users. The remainder of this subsection describes the global navigation capabilities to be offered by Europe, Russia and China. The Japanese and Indian systems are important considerations as well, but not detailed here in the interest of brevity.

The European GNSS, Galileo, has moved forward with the launch of two prototype satellites. The first validation satellite was launched on December 28, 2005 and is called the Galileo In-Orbit Validation Element or GIOVE-A. The second prototype satellite, GIOVE-B was launched on April 27, 2008 [Gao1]. The European Space Agency has recently awarded the contract for operational satellites.

17 Galileo will offer a multiplicity of services based on four signals in the so-called L band of the microwave portion of the radio spectrum. Amongst these, the Open Service (OS) will be free for anyone to access. It targets consumer marketplaces such as automotive navigation systems and cell phones. However, it is also well suited for aviation augmentation, because it has signals in the same ARNS/RNSS bands used by the GPS L1 and L5 frequencies. As described later, the aviation potential of the OS is central to this report and recommendations.

Galileo also plans to offer a Commercial Service, a Public Regulated Service and a Safety of Life Service. The Commercial Service will be encrypted and available for a fee. It promises an accuracy of better than one meter and targets professional applications such as agriculture, survey and construction. It will be based on signals at three frequencies: near L1, near L5 and E6 at 1278.75 MHz. The Public Regulated Service and Safety of Life services will both provide accuracy comparable to the Open Service. However, the Public Regulated is encrypted for security applications (military, police and fire). The Safety-of-Life is designed for the rapid detection of faults to serve safety-critical transport applications including aviation. It will be further discussed in Section 1.4.3.

The Russian system, GLONASS, has recently been rejuvenated after years of decline. The first GLONASS prototype satellites were launched between 1982 and 1985. From 1985 to 2000, the first block of production satellites were launched; and the second generation of production satellites began to appear in 2001. The constellation included 24 healthy satellites at its peak in 1995. However, the replenishment rate could not compensate for several launch failures and short satellite lifetimes. By mid-2001, the GLONASS constellation had fallen into disrepair with only 6 operational satellites on orbit.

In 2001, Russia committed to rejuvenate the system, and this effort has been conspicuously successful. As of February 5, 2010, the GLONASS system consists of 22 satellites. Of these, 19 are operational, one is in maintenance and two are being decommissioned. The Russians plan to attain and maintain a steady state set of 24 satellites from 2011.

In 2010, the Russians plan to initiate their GLONASS-K generation of satellites. Like GPS and Galileo, these will radiate signals in both the L1 and L5 portions of the radio spectrum. Thus the planned signal structure would satisfy aviation’s desire for dual- frequency diversity based on signals within the ARNS/RNSS spectrum. Moreover, these new signals may be based on Code-Division Multiple-Access (CDMA) rather than the frequency-domain multiple-access (FDMA) currently employed by GLONASS. If so, the receivers may be somewhat easier to manufacture, because GPS and Galileo are also based on CDMA.

So far, GLONASS receivers have been built in very low volumes relative to GPS, with most of the GLONASS receivers being built by the survey companies to augment their rather specialized differential carrier phase applications. However, the current health of

18 the constellation has attracted the attention of the GPS chip manufacturers who build for consumer applications. These merchants are planning to include GLONASS along with GPS in their future offerings, because they want to offer consumers improved navigation performance when they are downtown or indoors.

China operates a regional satellite navigation system and plans a global navigation satellite system. The regional system is called Beidou and is based on four geostationary satellites placed in the equatorial arc over China. These satellites were launched in October 2000, December 2000, May 2003, and February 2007. Beidou differs from GPS, Galileo and GLONASS, because the user terminals are transceivers rather than passive receive-only devices. The user terminals can send and receive short messages. This capability is used for general messaging and is also used to initiate the location transaction. In the latter case, the user terminal sends a signal upwards to the satellites. The satellites time stamp the received signal and send the time of reception to a ground facility. The ground facility estimates the user location and sends this position estimate back to the user terminal via the Beidou messaging capability.

For global coverage, China plans to launch 30 MEOs and GEOs. This system is called Compass and is based on the same passive ranging capability as GPS, Galileo and GLONASS. Three prototype satellites have been launched. A MEO satellite was launched in April 2007, a GEO was launched in April 2009, and a second GEO launched in January 2010. Compass also plans to place signals in the same ARNS/RNSS bands that include L1 and L5. Thus, it would help to satisfy aviation’s need for dual-frequency diversity.

1.4.3. Increased Integrity of the Core Constellations

The GNSS service providers (certainly the United States, Europe and Russia) have all expressed strong interest in increasing the safety-of-life utility of their basic satellite navigation systems. The U.S. targets the so-called GPS IIIC generation of satellites for initial integrity services in the decade following 2030. As described earlier, the Europeans have strived for a Safety-of-Life service from the onset of Galileo planning, and Russian interest is also quite clear. This report harmonizes these embryonic plans to maximize the benefit for civil aviation. The remainder of this section reviews some of the initial thoughts for integrity from the GPS and Galileo systems. A more substantive essay on integrity within GPS IIIC is provided as Appendix A and the references include many fine papers on the Galileo Safety-of-Life service [Oehler].

Interest in GPS IIIC integrity began with a historical observation: most GPS faults are due to run-away clock events and upload faults mentioned earlier. If those faults could be eliminated, the historical fault rate would be closer to 1 x 10-7/hr as required for aircraft operations supporting Category I precision approach.

GPS clock faults can readily be detected by monitors built-in to the Block III satellites. Once detected, the satellites would then disable the affected ranging signals and report

19 the problem to the Control Segment (CS) for corrective action. The signal could be disabled by switching from the standard pseudorandom code to a non-standard code. Onboard detection would minimize user exposure to a potential integrity failure. In most cases, clock faults could be detected well before they posed any integrity threat to GPS users.

Faulty uploads could be addressed by modifying the CS upload procedure. Integrity within the CS would be focused on validating commands and uploads before they are transmitted to the satellites, thereby preventing errors from propagating to the satellites and the ranging signals. For this purpose, cross-checks may be desirable. For example, a satellite could ensure that it is set unhealthy by the CS before the satellite executes a command that could cause erroneous signals (e.g., an orbital maneuver).

For precision approach applications, built-in integrity for GPS would need particular emphasis on the generation of the User Range Accuracy (URA) parameters that are broadcast for each satellite. These parameters convey the confidence to be placed in the signal-in-space. They characterize the errors due to the satellite broadcast mechanism and the navigation data that modulates those signals. The historical data cited above is based on faults that introduce an error of 30 meters or 4.42 times the broadcast URA, whichever is less. For precision approach, smaller faults are significant; typically in the range of two to seven meters. These errors will need to be protected with an overall time- to-alert of six seconds to support Category I precision approach.

The GPS IIIC integrity concept could use existing URA parameters in the navigation messages broadcast from the satellites. This re-use may be needed because very few spare bits exist in the legacy navigation message. A single-bit integrity status flag would be added to the navigation message from each satellite. These flags would indicate whether the URA parameters broadcast by a satellite are assured to the legacy fault level of 10-5/hr/Satellite Vehicle (SV) or to the higher 10-8/hr/SV level required for precision approach. Importantly, they are not integrity warnings. As described above, real time alarms are conveyed by switching from the nominal code for any given satellite to a non- standard code. In contrast, the integrity flags would be used to convey the increased confidence in a satellite as the constellation matured and/or the satellite passed on-orbit acceptance tests.

The GPS III development uses integrity assurance processes patterned after those used for aviation. However, the integrity function described above is not planned until the GPS IIIC phase of the constellation. The IIIC phase calls for 18 satellites on orbit in the 2030 timeframe and a full constellation would be some years later. The recommendations of this report seek to provide the sought-after navigation support for worldwide vertical guidance in the 2018 time frame. However, they also hope to leverage and sharpen the current emphasis on integrity within the GPS program.

As mentioned earlier, Galileo also plans to build-in an integrity function. This function is called the Safety-of-Life service. It would be based on dual frequency signal diversity with signals near the GPS L1 and L5 signals and within the ARNS/RNSS bands that are

20 required for air navigation. Importantly, this service is being designed to have no common mode of failure with either the GPS or GLONASS constellations.

The Galileo Safety-of-Live service is based on the following treatment of the possible faults and rare normal conditions. • Faults are any troublesome events caused by the satellite broadcast mechanism and the navigation data that modulates those signals. Thus defined, faults are to be detected and removed by the built-in Galileo integrity function that monitors the signal-in-space performance as described below. • Rare normal conditions are due to radio propagation from the satellite to the user. They include effects due to the ionosphere, the troposphere, reflected signals and radio frequency interference. Ionospheric effects are removed by the use of dual frequency diversity and tropospheric errors are mitigated by the use of a standard error model. • User receiver errors include thermal noise effects. These will be limited by constraints on key receiver parameters, presumably to include correlator spacing and smoothing time.

Each signal-in-space is characterized by two parameters: the Signal-In-Space Accuracy (SISA) and the Signal-In-Space Monitored Accuracy (SISMA). The SISA will be an overbound of the actual Signal in Space Error (SISE) in nominal conditions and will not be computed in real time. (There is almost a one-to-one correspondence between the SISA and the URA defined later in this report.) The SISMA will be computed in real time using a worldwide network of 35 to 40 integrity monitors. As such, the SISMA will depend on: the quality of the integrity monitor measurements; quality of the propagation channel; and the geometry of the satellite under test relative to the cognizant integrity monitors. The Galileo integrity concept also includes an integrity flag that allows for the removal of any satellite that cannot be well characterized by SISA and SISMA. The fault tree is very similar to the ARAIM fault tree used in this report: each satellite can fail with an a priori probability, and only single faults are assumed. However, this report recommends that the effect of the faulty satellite be bounded by the remaining satellites in view of the avionics. In contrast, the Galileo Safety-of-Life concept bounds the fault- induced error using the SISMA broadcast by Galileo.

The Galileo Safety-of-Life concept is being actively developed within the framework of the International Civil Aviation Organization, RTCA and EUROCAE. The plan is to have a mature avionics standard (Minimum Operational Performance Standard or MOPS) in the post 2014 time frame. This report wishes to sharpen the Safety-of-Life proposal from Europe by the addition of multiple GNSS constellations and increased emphasis on autonomous integrity monitoring. We believe that the resulting service would be stronger than any service based on a single constellation.

1.5. Recommendations and Outline

This report provides an architectural evolution path to leverage the above-described changes in the GNSS ecosystem for the benefit of aviation. Dual frequency diversity

21 provides a powerful mitigation of the ionospheric storms that are today’s most prevalent threat to the continuity and availability of our operations. The new signaling frequency also provides a redundant signal and reversionary approach capability in the event of radio frequency interference. In addition, new constellations provide geometric diversity. By so doing, they address the long standing concern over constellation strength. Finally, the current enthusiasm from the GNSS service providers for built-in integrity must also be utilized.

1.5.1. Dual Frequency WAAS

Dual-frequency WAAS must remain as a near term priority. As described in the FAA Strategic Plan, the WAAS life cycle is divided into four Phases. Phase I was completed in July 2003 when the system achieved Initial Operational Capability (IOC). Phase II finished in Fiscal Year (FY) 2008, and provides full LPV performance (FLP) with precision approach service over all of CONUS and most of Alaska. Phase III covers FY2009-2013 and includes technical refresh and a transition from contractor operation to FAA operation and support. Phase IV, post FY 2013, provides dual frequency (L1/L5) operations. It is an important and necessary step in the overall evolution.

The four phases of the WAAS life cycle address the technical risk in achieving the highest levels of availability (.999) for the LPV-200 level of service at all locations. The fourth phase is particularly important. It enables users who require the highest level of continuity and availability to augment the WAAS broadcast ionosphere corrections performance with dual-frequency measurements. The direct inclusion of L5 in the avionics introduces new capabilities beyond those provided by single-frequency WAAS. It would provide: vertical guidance during ionospheric disturbances; coverage would be extended beyond the network of reference stations; and a reversionary capability in the presence of radio frequency interference. Finally, dual frequency avionics may enable approach operations in lower weather minima than the 200 foot limit associated with LPV-200. The next few paragraphs briefly address the increased robustness against ionospheric disturbances and radio frequency interference.

At present, ionospheric storms cause outages in the precision approach service from WAAS. Such ionosphere induced outages are projected to occur several times per year during the peak of the solar cycle and each such outage can last for an entire day. Dual frequency WAAS users would not suffer from these space weather effects because the user directly measures the ionosphere induced path delay to each GPS satellite. Thus, the user avoids the performance penalty due to spatial decorrelation inherent in the ground based ionosphere corrections. A dual-frequency user will be able to achieve lower protection levels with higher availability than the single-frequency user. In other words, the error due to the ionosphere can be made negligible compared to the other contributions to the protection level.

Dual frequency WAAS would also enjoy a powerful reversionary mode in the presence of radio frequency interference. If L5 is lost, then the legacy WAAS service based on L1

22 would still be available. If L1 is lost, then WAAS can either be updated to support precision approach or non-precision approach based on L5. Alternatively, the user equipment could revert to non-precision approach based on L5 and single frequency RAIM.

The inclusion of L5 in WAAS is not a small undertaking. Both the ground and air systems must be updated. The WAAS ground system includes numerous integrity monitors, each of which would have to be analyzed for any potential change. Any existing monitor requiring changes will have to go through the full HMI analysis. New monitors may be required. For example, a new monitor will be needed to monitor for distortions of the L5 signal.

Dual frequency WAAS avionics will be needed, and so the associated Minimum Operational Performance Standards (MOPS) [RTCA/DO-229D] will need to be updated. The MOPS describe the operational goals and specify the signal characteristics, data formats, corrections and airborne integrity algorithms. They also give the requirements for functionality and testing of SBAS receivers. The dual frequency MOPS would include the use of the combined measurements at the L1 and L5 frequencies by the aviation receiver. They would need to describe a degraded L5 only mode. They would likely view the L1-only capability as a reversionary mode that would be backwards compatible with the current single frequency MOPS.

WAAS will need to provide continuing support for legacy single-frequency users. Indeed, a large number of users will not require the availability and continuity advantages of dual frequency operation. Therefore the end state WAAS configuration will still need to support legacy single-frequency users and users who only use the second frequency for frequency diversity of the GEO data link. The single-frequency service will need to be maintained to support backwards compatibility with existing user receivers during and after the introduction of L5.

Hopefully, the inclusion of L5 in WAAS will galvanize other SBAS service providers to make a similar transition. As mentioned earlier, these other systems include EGNOS, MSAS and GAGAN.

1.5.2. Dual Frequency GBAS

Dual-frequency GBAS should also be developed. As mentioned earlier, GBAS supports navigation for terminal area flight, precision approach and landing. Category I capability will be available in 2010, and Category II/III services are planned for 2014-2015. All of these capabilities are based on GPS L1 alone. Dual frequency operation would bring the same advantages to GBAS that it brings to SBAS. Inclusion of L5 in the ground and air systems would reduce continuity issues associated with ionospheric storms and RFI. Most importantly, the availability of Category II and III landing operations would increase significantly, as the use of two frequencies to mitigate ionospheric spatial anomalies is far superior to the methods available to single-frequency (L1-only) systems.

23

The main technical challenge associated with dual-frequency GBAS is the optimization of the algorithm that combines measurements from the two frequencies to mitigate ionospheric anomalies. Unlike SBAS, under nominal conditions, GBAS is dominated by errors introduced by noise and multipath. These errors are amplified by the so-called ionosphere-free combination of the two measurements. However, the ionosphere-free combination has the advantage of completely removing ionospheric delay from ranging measurements; thus defeating all possible ionospheric anomalies. A compromise approach that uses the divergence-free combination of the two measurements removes ionospheric change but not the initial offset; thus some residual ionosphere threat remains [McGraw]. The best means of utilizing these two approaches along with real-time ground and airborne ionospheric monitoring is a topic of ongoing research [Konno].

Once ionospheric influences are minimized, GBAS performance will be most strongly influenced by potential faults in the signal shape and in the ephemeris data contained in the GNSS navigation message. These areas require further investigation to determine how much (if any) additional mitigation is required to meet Category III integrity requirements.

1.5.3. Advanced RAIM (ARAIM)

Advanced RAIM (ARAIM) should be pursued for the worldwide vertical guidance of civil aircraft based on two or more GNSS constellations radiating at two ARNS/RNSS frequencies (L1 and L5). Such an initiative is needed to harmonize the current cacophony of independent efforts underway worldwide. Absent coordination, these efforts will seek to find a civil aviation role based on the use of GPS, Galileo, GLONASS, and Compass standing individually. ARAIM provides a path to harmonize these embryonic plans and provide aviation benefits as soon as the core constellations become stronger or integrity properties become tangible.. At the same time, the ARAIM- based capability would also accommodate degradations in the core constellations or the associated integrity performance. The ARAIM concept is not brittle: aviation will benefit from GNSS improvements without being sensitive to negative changes in the underlying constellations.

ARAIM is an extension of the single-frequency RAIM discussed in Section 1.1. Both are based on an airborne comparison of each satellite measurement to the consensus of the other available satellite measurements. However, the distinctions are also important. ARAIM would support vertical guidance to decision heights of 200 feet (LPV-200), whereas single-frequency RAIM only supports LNAV guidance. As such, ARAIM must protect vertical errors at 35 meter level, while RAIM only needs to detect lateral errors of 200 meters or so. In addition, LPV-200 corresponds to a severe major hazard level (10-7), and LNAV is only major (10-5). The ARAIM theory and these distinctions are further elucidated in Section 3.

24 Since LPV-200 is associated with a severe major hazard level, ARAIM is subject to greater scrutiny than RAIM. This increase applies during development and in operation. The design and validation of ARAIM must consider less likely threats. These include the possibility of faults in the earth orientation parameters. After all, an airborne self- consistency test is not sensitive to a faulty orientation of the entire satellite constellation relative to the Earth. Such a common mode fault would not be detected by a comparison of one satellite measurement to the other measurements. These threats are thoroughly described in Section 2.

ARAIM scrutiny must continue beyond system development into the operation of the system. This report recommends the use of an Integrity Support Message (ISM). In essence, this message conveys the safety assertions associated with each of the underlying satellite systems to the sovereign responsible for a given airspace. These messages would contain performance estimates for each satellite to be used for navigation. For example, they could contain standard deviations that over bound the distribution of the satellite measurement errors. These would be akin to URA and SISA described above. It could also contain estimates of the a-priori failure rate for each satellite. In the near term, these messages could originate from a suitably modified SBAS or GBAS. In the longer term, they could originate from the GNSS control segments. Appendix B lists performance requirements for an ideal core constellation. The ISM is further described in Section 5.

In essence, the ARAIM concept allocates the responsibility for fast faults to the aircraft. It does require the ISM, which is developed using reference receivers on the ground, to be communicated to the aircraft. As such, ARAIM is not perfectly named; it does require some assistance from the ground. However, it would support an operational concept where the ISM is communicated at the time of aircraft dispatch or entry into new airspace. Thus ARAIM uses the multiplicity of satellites in a dual-constellation environment to take responsibility for all faults that arise between dispatch and the completion of approach.

As mentioned earlier, the ARAIM concept would not be overly sensitive to variations in the strength of any of the individual constellations. Indeed, this report finds that worldwide vertical guidance based on ARAIM is feasible based on a joint constellation of 24 Galileo satellites and 21 GPS satellites. This finding provides relief from a major concern for aviation. Even though, the current GPS constellation flies approximately 30 satellites, the U.S. Department of Defense only guarantees 21 operational satellites. This guarantee is stated using probabilistic terminology so constellations weaker than 21 are possible. Similarly, Galileo plans to fly 30 satellites, but they may encounter the same budgetary constraints that influence GPS replenishment. These availability results are substantiated in Section 4.

A first experimental assessment of ARAIM is contained in Section 6. This section analyzes the URAs generated by the GPS control segment in 2008 and 2009. It compares the URA-based error bounds to the measured errors for the GPS signal-in-space. The analysis is prospective, because it predates any official shift by the GPS program to

25 include aviation integrity. Even so, it provides a deep look at GPS performance in current times. Remarkably, it indicates that ARAIM would have provided adequate integrity performance throughout 2008 and 2009.

The ISMs provide a mechanism to include and leverage improvements made in the underlying GNSS systems. After all, the ISMs communicate the best current estimates of the URA and the prior fault rate for the GNSS signal-in-space. Consider the example described above for GPS III integrity; clock faults could be detected within the satellite and the satellite could protect users by switching to a non-standard code. This improvement could be reflected in the ISM contents, and the message would provide a route to connect these initiatives directly to a tangible and immediate aviation benefit.

Two outreach efforts must also accompany the development of ARAIM. First, international outreach and coordination should continue as a priority. The benefits of a coordinated effort are great. Moreover, the technical work is substantive and should be coordinated based on the existing bilateral and multi-lateral mechanisms.

Second, military applications of dual frequency ARAIM should be supported to the extent possible. Indeed, the U.S. military has conveyed interest in dual frequency ARAIM based on GPS alone for worldwide vertical guidance. DoD may be able to satisfy their requirements based on a single constellation because their requirements differ significantly from the civil requirements. Specifically, the military users are content with vertical guidance to decision heights that correspond to a vertical alert limit of 50 meters rather than 35 meters. They are also satisfied with analyses that consider the current GPS constellation rather than the 21 satellite constellations guaranteed by the SPS. Finally, they do not require 99.5% availability at every airfield worldwide. Instead, they consider average availabilities over the globe. These three differences make military ARAIM based on a single constellation feasible, while they are not feasible for civil requirements.

A military co-development of ARAIM would be very valuable to the civil community. The military has immediate access to dual frequency diversity based on the military signals at L1 and L2 (1227.60 MHz). These L2 signals are not suitable for civil use because they are not within an ARNS portion of the radio spectrum, and further, in over 30 nations this band is allocated on a primary basis to fixed and mobile services. However, the flight data and experience would certainly be helpful. A system using L1 and L2 would provide a demonstration of dual frequency operations that the civil community could then emulate using L1 and L5. Single constellation ARAIM is analyzed in Section 8.

The promise of ARAIM has yet to be realized and substantive technical issues remain. These issues are identified in Section 1.6, which also identifies next steps to address these concerns.

1.5.4. Schedule Risk

26 Both of the above described recommendations are reasonably robust to schedule. The dual frequency recommendation for WAAS and GBAS only assumes that L5 will march predictably towards a 2018 initial operating capability where IOC is defined as at least 18 L5-capable SVs are operational. The ARAIM recommendation is entirely based on the GPS civil service plus the civil service from one other GNSS core constellation. Thus, it does not depend on integrity from GPS IIIC or the Galileo Safety-of-Life service. Specifically, these recommendations aim to provide a worldwide LPV-200 service well before the 2030 timeframe associated with GPS IIIC integrity and more powerful than integrity from any single GNSS core constellation.

1.6. Future Work for ARAIM Development

Key issues for the development of ARAIM are discussed in the following subsections.

1.6.1. Generation and Validation of the Integrity Support Message The development of the ISM requires substantial work. As mentioned earlier, these messages could originate from a suitably modified SBAS. They may also be generated by the geographically concentrated network of reference stations used by GBAS. Perhaps, the ISM messages could be generated by a shared reference network operated and maintained by the international civil aviation community. In the longer term they could be made available by the GPS and Galileo control segments.

In any event, ISMs must be prototyped and validated. Difficult questions remain concerning the extent of the reference network and the aircraft update time. On one extreme, we can hope that these messages can be generated based on the last few passes of the satellite under test over a single reference site. Moreover, they can be used to provide LPV-200 operational approval at the time of aircraft dispatch. In short, we would certainly prefer that a real-time integrity channel is not needed to support the time- to-alert from the ground. After all, if ISMs are needed in real time, then the resulting architecture does not offer any significant simplifications relative to the current SBAS and GBAS.

Our expectation is that ARAIM results in a system that can delegate the responsibility for all post-dispatch faults to the aircraft. This expectation must be scrutinized and will require a satisfactory analysis of the threats described in the next subsection. It will also require maturation of an operational concept that finds significant benefit in such a re- allocation of the integrity burden.

1.6.2. ARAIM Threats and Potential Mitigation

Two substantive threat classes have emerged. Both require more attention and study to ensure they are fully understood and can be properly mitigated.

27 First, any potential fault that yields hazardous position errors without causing the satellite measurements to be inconsistent is problematic. RAIM and ARAIM tests the consistency of the satellite measurements. If the last ISM is received at dispatch and the fault does not trip the ARAIM alarm, then hazardously misleading information (HMI) could be introduced by faults that occur during an exposure time equal to the duration of a flight.

This first class of faults may well have a poster child already: faults in the Earth Orientation Parameters (EOP). These parameters relate the satellite orbits to the fixed earth. If these parameters are faulted, then the earth is effectively rotated underneath the satellites and the aircraft. Since ARAIM only measures the consistency of the satellite measurements, it would have no direct measurement of this earth rotation. The path points that specify the final approach segment of flight would no longer accurately lead to the runway.

Fortunately, certain tests under consideration may be effective against EOP faults. The position fix from one constellation could be compared to the position fix from another constellation. If the EOP protocol for the first GNSS is independent of the EOP treatment in the second GNSS, then this test may have the power to detect EOP faults. Section 4 includes a preliminary analysis of this possibility. Alternatively, an additional test could be performed in the aircraft to compare any new navigation message to the previous navigation message. Such a comparison of new to old may have enough sensitivity to detect hazardous changes in the navigation message due to an EOP fault. Of course, the avionics could conduct a constellation-to-constellation test and a new-to- old test in concert.

Second, the provenance of the ISM is of concern. This message carries key parameters used by ARAIM including those that define a probability density function that overbounds the true error distribution for each satellite measurement. If these parameters fail to generate such an overbound, then HMI could result. Thus future work must consider strategies to mitigate this possibility. These study efforts should contemplate scaling factors that would inflate the overbounding densities. Such inflation must not be too aggressive; otherwise the availability penalties would wash out the utility of ARAIM. In addition, the future work must consider the software design assurance processes used to generate the ISM data. The software architecture would need to be qualified to the software design assurance standard RTCA DO-278 Level 2 or equivalent.

Both of these troublesome fault classes are discussed in Section 2, which also proposes first ideas to mitigate these threats.

1.6.3. Data Links and Format for the ISM

As described above, the ISM is developed using reference receivers on the ground, and then communicated to the aircraft. Our hope is to support an operational concept where the ISM is communicated at the time of aircraft dispatch or entry into new airspace. If successful, ARAIM would enable a wide variety of data links. For examples, ISM could

28 be communicated using new SBAS message types. It could be communicated using the GBAS VDB data broadcast. Alternatively or in addition, it could be communicated using any of the links planned for the future air traffic control or surveillance. These alternatives must be examined and suitable data formats developed for the most attractive options.

1.6.4. New Performance Requirements

Navigation systems supporting vertical guidance of aircraft are subject to several requirements governing their performance. The requirements are standardized through the International Civil Aviation Organization (ICAO). The requirements for GNSS- based systems are still evolving to accurately identify which system characteristics are truly needed and how to best describe the requirements. At present, the GNSS requirements are being updated to include more information on system position error accuracy. Previously, it was specified that the system meet an accuracy requirement (specified at the 95% level) and an integrity requirement (specified at the 99.99999% to 99.9999999% levels). There is a current effort to provide requirements also at the 99.999% level (see 2.1.3). However, there is some uncertainty as to how this requirement is to be specified and how it will be evaluated. Both SBAS and GBAS appear to easily meet this requirement without any necessary modifications. However, it is possible that a more strict application of this requirement could have a significant influence on when the system is declared operational. As this new requirement is still under development, we have chosen to base our report on the premise that like SBAS and GBAS, it will not impose a significant constraint on availability. As the language and interpretation of this requirement matures we will continue to monitor its potential impact.

1.6.5. High Fidelity Prototyping

An authoritative analysis of ARAIM must include the simulation of faults beyond those experienced in the data analyzed in Section 6. To this end, a high fidelity prototype is needed to build confidence and address the more extraordinary fault mechanisms hypothesized in Section 3. This prototype would mimic an ARAIM user exposed to actual measurements at a one second rate. This prototype would support the testing of the future ARAIM user, the ISM message and the ARAIM major threats (and mitigation thereof). It would assess performance relative to the appropriate time-to-alert.

The current WAAS correction and verification prototype is a good starting point for this ARAIM prototype. The extant prototype can be run at various FAA facilities using actual one-second field data providing high fidelity outputs. Furthermore, this high fidelity output data can be fed into various other pieces of software to simulate users applying the MOPS protection level algorithms. The natural evolution of this ability is to code a future ARAIM user which takes in one second data and applies modified protection limit equations to assess future performance levels. Furthermore, both

29 ARAIM fault scenarios (corrupted EOP data for example) as well as an ISM would need to be coded. As stated above, the ISM could be generated via a suitably modified SBAS, and the current WAAS correction and verification prototype would be an excellent starting point for such a message. Size, structure and content of an ISM should be prototyped in order to correctly asses the viability of such a scheme.

1.6.6. Chronology

As discussed above, the GEAS makes two central recommendations:

• develop and deploy dual frequency WAAS and GBAS • develop and validate multi-constellation ARAIM.

The first recommendation is based entirely on GPS while the second leverages the forthcoming navigation systems. However, the GEAS currently offers no recommendation for the relative timing of the two corresponding efforts to develop avionics. Presumably, receiver manufacturers would wish to accommodate dual- frequency diversity, multiple constellations and Automatic Dependent Surveillance- Broadcast (ADS-B) in their next build for certification. The GEAS will seek input from the avionics community and recommend a chronology consistent with the voiced business plans of the avionics manufacturers. Upcoming meetings with RTCA and EUROCAE are planned and will address this issue.

1.6.7. Alternate Navigation Alternate navigation should remain as a priority to cope with RFI, accidental, scheduled or malevolent. This reversionary source for guidance needs to be totally independent of GNSS. Today, aviators revert to the traditional suite of terrestrial navigation aids including VHF Omni-directional Radio Range (VOR), DME and ILS. Maintenance of this ground infrastructure is expensive and new alternate navigation systems should seek to leverage new ground systems that are being installed for aircraft surveillance or mobile satellite service that have high power signals compared to GNSS. In particular, the aircraft surveillance community is installing ground based transmitters that could support surveillance and navigation based on multi-lateration.

30 2. LPV-200 Requirements and Threats

This study targets LPV-200 capability, which supports vertical navigation for aircraft approach operations down to 200’ above the ground. To this end, this section first describes the performance requirements needed to support LPV-200 and then identifies threats that might prevent these requirements from being met. Then, it discusses the potential occurrence of multiple faults. Multiple faults were not considered during the development of conventional RAIM for lateral navigation. However, they must be considered for the development of advanced RAIM for LPV-200. As described in Section 1.6.2, work is still required in the area of multiple faults.

2.1. Performance Requirements to Support LPV-200 Capability

As described in Section 1, conventional RAIM supports lateral navigation. In contrast, LPV-200 requires lateral and vertical guidance and has much tighter alert limits. In this subsection, performance requirements of LPV-200 are described. Where appropriate, requirements for conventional RAIM are also described briefly for comparison. Some navigation requirements for LPV-200 do not have clear definitions in the existing literature. In such cases, GEAS inferred a requirement based on relevant material from existing standards. The requirement that the Vertical Protection Level (VPL) be below the Vertical Alert Limit (VAL) is the dominant limitation to performance. Hence, the following discussion focuses on the vertical dimension.

2.1.1. Probability of Hazardously Misleading Information (HMI)

HMI exists when the Horizontal Position Error (HPE) is greater than the Horizontal Protection Level (HPL) or the Vertical Position Error (VPE) is greater than the VPL for longer than the time-to-alert (TTA). For the applications using conventional RAIM, the integrity requirement is that Pr{HMI} must not exceed 10−7 / hr. For LPV-200, the assumed integrity requirement is that Pr{HMI} must not exceed 10−7 per approach. The current ICAO Annex 10 requirement for Approach with Vertical guidance (APV) approach and Category I approach is that Pr{HMI} must not exceed 2×10-7 per approach [ICAO1]. The GEAS evaluated only the contribution to Pr{HMI} for the vertical dimension. This GEAS assumption is consistent with the ICAO requirement provided that the overall allocation of 2×10-7 is evenly split between the horizontal and vertical dimensions. For LPV 200, the VAL is 35 m, and the Time-To-Alert (TTA) requirement is 6 seconds.

2.1.2. False Alert Probability Requirement

For conventional RAIM, the maximum allowable false alert probability is required to be less than 0.002 in any given hour when it is used as a supplemental means of navigation for en route through LNAV approach [RTCA/DO-229D]. This probability is required to be less than 10-5/hr when it is used to support a primary means of navigation for the same

31 phases of flight [RTCA/DO-229D]. For LPV-200, the GEAS-assumed requirement for the airborne algorithm is 4 × 10−6 per 15-sec interval, which was derived from the ICAO continuity risk requirement. It is half of the ICAO requirement of (8 × 10−6) per 15- second interval, which applies to losses of service from all causes, including those external to the receiver processing [ICAO1]. The allowable false alert probability per sample is taken to be the same as the probability per 15-second interval at 4 × 10−6.

2.1.3. Effective Monitor Threshold (EMT)

The EMT is an additional LPV-200 requirement on the vertical position error. It is based on operational trials that showed that an additional requirement was needed beyond the normal requirements on vertical accuracy and integrity [ICAO2]2. This requirement bounds the probability on vertical errors larger than 15 meters, because such errors can introduce a significant increase in the flight crew workload and potentially a significant reduction in the safety margin. Concern is greatest when the vertical errors shift the point where the aircraft reaches the decision altitude closer to the runway threshold where the flight crew may attempt to land with an unusually high rate of descent. For these reasons, the FAA established a requirement to limit vertical position error in the event of a fault condition. (In the absence of a fault condition, there is a separate new requirement [ICAO2] that under fault-free conditions, the Pr{VPE > 10 m} < 10-7.) This requirement, known as the EMT, was interpreted to mean that a fault must be detected at least 50 percent of the time when an error is present that creates a vertical positioning error equal to the EMT. Meeting this requirement is a condition for availability of service for each user-satellite geometry. In contrast, conventional RAIM has no such requirement for the median value of vertical error.

After the GEAS agreed on the above EMT requirement, a more stringent requirement was approved for publication in Annex 10 by the ICAO Navigation Systems Panel (NSP). The new requirement states that the probability of an undetected fault resulting in a vertical position error exceeding 15 m must be less than 10-5 per approach. (For further information, see [ICAO2]). As discussed in Section 1.6.4, the GEAS has an open question regarding the correct interpretation of the requirement. For this reason, this requirement is not considered in this report.

2.1.4. 95th Percentile Accuracy of the Vertical Position Error (VPE)

The 95th percentile vertical accuracy requirement for LPV-200 is 4 m. Conventional RAIM has no specific accuracy requirement because GPS gives more than adequate accuracy margins for its en route through LNAV approach applications.

2 The current version of ICAO Annex 10 does not have LPV-200 requirements. However, in Annex 10, similar requirements are to be found under the CAT I label. In the future, Annex 10 will be updated to include LPV-200 requirements.

32 2.2. GNSS Fault Causes and Effects

GNSS faults may be characterized both in terms of their causes and their effects. The LPV-200 requirements imply that a threat is any condition that could contribute to the 95% position error exceeding 4 m or lead to a position error greater than the protection levels.

The two subsections that follow list GNSS faults based on their origin (e.g. spacecraft, ground segment, etc.). However, fault effects are ultimately more important than fault origin. For example, consider the creation of the dual frequency measurement processing by the user equipment. An L1/L5 ionosphere-free range residual is derived from differencing a range measurement with the expected range to a satellite based on navigation message data including clock and ephemeris parameters and group delay corrections. In order to reduce the effects of airborne equipment pseudorange multipath and thermal noise, user equipment used for LPV-200 operations will smooth pseudorange measurements with carrier phase measurements. Thus, faults from many possible origins may affect this critical range residual. The size of that fault must be evaluated along with the associated a-priori probability.

2.2.1. Faults in the Space and Ground Segments

Potential signal faults have a variety of causes including: • GNSS satellite hardware, firmware or software fault due to design flaws, memory corruption or random hardware failures. These include satellite clock runoffs that are unexpected changes in clock phase and/or frequency. They also include satellite ephemeris errors caused by un-commanded maneuvers such as leaks in a pressurized fuel tank. Other examples are signal modulation imperfections caused within the circuitry inside a satellite and gamma rays corrupting satellite memory • Operational error by GNSS ground segment staff. These include satellite ephemeris errors caused by the failure to set a satellite’s health status to “unhealthy” before a satellite maneuver. • GNSS ground segment hardware, firmware, software errors or design flaws, either at a Master Control Station (MCS) or at Monitor Stations (MSs) • Atmospheric and environmental factors that cause range measurement errors at MSs. These include unmodeled ionospheric delays introduced by space weather. • GNSS navigation message bit transmission errors, whether the errors occur in terrestrial communications links or in space.

2.2.2. Faults in the User Equipment and Signal Propagation Errors

In addition to faults in the space and ground segments, ARAIM would also play a role in detecting user equipment (UE) faults and signal propagation errors. Importantly, autonomous algorithms distinct from ARAIM may also provide protection for UE faults. Examples of these kind of faults include the following:

33

• Undetected cycle slips and half-cycle slips • Radio frequency interference (RFI), if it results in significant errors • Tropospheric errors (if sufficiently large) • Signal multipath reflections in the environment around a user equipment antenna • User equipment hardware, firmware, and software errors and design flaws • User equipment antenna biases

Other faults may also occur. These include errors in the user equipment navigation database that defines an airport approach path or other approach definition parameters. Such faults are outside the responsibility of ARAIM to detect and would be handled in accord with current practice for SBAS.

2.2.3. Fault Probabilities and Time to Alert

The historical frequency of GPS signal faults is about 3 per year for the GPS constellation as a whole [Cohenour]. This frequency is equivalent to a probability of onset of about 10-5 per satellite per hour. Correspondingly, the GPS SPS Performance Standard [GPS-SPS] contains an assurance that the probability of a major service failure will be less than or equal to 10-5 per satellite per hour. The SPS Performance Standard defines a major service failure as the following event: the instantaneous User Range Error (URE) exceeds the product of 4.42 times the broadcast URA value when the satellite is set “healthy” without a timely alert being issued. This definition excludes any error that is not under direct control of the system (for example, single-frequency ionospheric errors are excluded). In the GPS-SPS, an alert is defined to be timely if it occurs within 8 or 10 seconds. A time-to-alert (TTA) of 8-10 seconds is better than or equal to the required TTA for en route through LNAV operations, but not adequate for LPV or LPV- 200 operations.

2.3. Single Faults Versus Multiple Faults

As mentioned earlier, conventional RAIM algorithms are currently used for integrity assurance during en route through LNAV approach flight operations [FAA AC 20-138A, RTCA DO-208, FAA TSO C129/129a, RTCA DO-229D, FAA TSO C145c/C146c, RTCA DO-316, and FAA TSO C196]. These algorithms were designed to assure that integrity requirements are met under the assumption that a signal fault exists on only a single satellite used in the position solution at any given time. Such an assumption is valid for these applications, which can tolerate horizontal position errors up to a Horizontal Alert Limit (HAL) of 556 meters or greater, and which do not use vertical guidance from GNSS. However, it is not known whether range errors that could cause a hazard for LPV-200 (e.g., vertical position errors of about 15 m to 35 m) might occur on more than one satellite at the same time. No assurance is provided in the GPS SPS Performance Standard on the occurrence of multiple signal fault conditions.

34 2.3.1. Effects of Multiple Signal Faults on Advanced RAIM

Multiple signal faults would be worrisome because certain combinations of range errors could degrade the ability of ARAIM to detect signal faults. ARAIM, whether done in the position domain or in the range domain, is a consistency check that is performed when redundant range measurements exist. If all range measurements are consistent with the same (incorrect) satellite position, ARAIM cannot detect such a fault condition. Such errors are called “consistent” errors or consistent signal faults. For example, consistent faults could exist if all satellite ephemeris parameters were based on a faulted estimate of earth orientation. In this example, the relative orientation of the earth is shifted relative to all satellite positions. Hence, such a fault would not be detected by ARAIM. Whether such fault conditions are considered “credible” is discussed below. (“Credible” fault conditions must be considered in the safety assessment process required for systems to be approved by FAA as described in SAE ARP 4761 [SAE-ARP].)

In the more general case, multiple signal faults may occur due to a common cause, but are not necessarily consistent. In other words, ARAIM fault detection statistics may respond to their presence. However, the multiple faults may obscure detection and weaken the provable performance of ARAIM.

2.3.2. Historical Observations of Multiple Fault Conditions

Two cases of multiple GPS errors are known to have occurred. Steps have been taken to prevent recurrence of the first, and the second would not have affected dual-frequency users even if it recurred. In March 1993, ranging errors for multiple satellites grew over a two-week period to as much as 40 m [Shank], due to the failure of the operational control segment software to reconcile the time references among different subsets of satellites. This error was not significant for civil users, because Selective Availability (SA) was in effect at that time, and caused comparable errors. Actions have been implemented to prevent recurrence of this event.

The second example occurred from 28 May through 2 June of 2002 [Hutsell]. Ionospheric correction terms, which are used to compute an ionospheric correction term for all GPS satellites used by L1 single-frequency users, contained an error. L1 single- frequency range errors may have been as high as 16 m on multiple range measurements. The errors were due to an incorrect value in an ionospheric correction database which was the source of ionospheric correction terms in the navigation message of all GPS satellites between 28 May and 2 June 2002. The database error has since been corrected.

2.3.3. Potential Causes of Consistent or Multiple Faults

The GEAS has identified potential causes of consistent or other multiple-signal fault conditions that are considered credible. The GPS program plans mitigations for many of these. However, not all mitigations will necessarily be implemented in the GPS

35 operational control segment or on GPS satellite blocks prior to the Block IIIC time frame, or they may not be implemented to the level of rigor required by FAA for LPV-200 operations. The FAA safety assurance process requires the use of design assurance processes in the development of software and hardware used for safety-critical applications. The level of rigor required in the design assurance process depends on the severity of the failure condition that could result in the event of failure or malfunction of the software or hardware. The occurrence of erroneous navigation information during an LPV-200 approach is considered a “severe-major,” also called “hazardous”, failure condition. Software in ground systems whose malfunction could cause a hazardous failure condition is required to be developed to design assurance level 2 of the software assurance standard RTCA DO-278 (or equivalent), for example. Level 2 of DO-278 is equivalent to DO-178B Level B. See SAE ARP 4761, RTCA DO-278, RTCA DO-178B, and RTCA DO-254 for further information.

Potential causes of consistent or other multiple fault conditions in GPS are now listed. In general, these faults are based on consideration of the data used by the GPS Master Control Station (MCS). However, they could also exist in other core constellations.

• Earth Orientation Parameters (EOPs) or Earth Orientation Parameter Predictions (EOPPs) are used by the GPS MCS to mathematically describe the relationship between an Earth-centered-Earth-fixed (ECEF) coordinate frame and an inertial coordinate frame. A set of erroneous EOPs is a special example because it could lead to all GPS satellites having consistent signal faults. If all GPS satellite ephemeris parameters were consistent with an incorrect earth orientation, the range residuals observed by airborne user equipment would all be consistent with the same position – but not the correct position relative to the earth. Such a situation would not be detected by ARAIM. • Erroneous phase center location estimates of one or more GPS monitor station antennas could yield multiple satellite measurement errors, which could contribute to multiple signal faults. • Erroneous values of various constants used by the GPS MCS to estimate satellite orbits and clocks could be worrisome. These include π (pi), c (the speed of light), μ (the Earth’s gravitational constant), and others. Even though correct values of such constants are initially stored in the GPS MCS, there is the theoretical potential for them, or anything else stored in memory, to be corrupted due to memory bit errors • A hardware fault at an MS, or a hardware or software design flaw that manifests at one or more MSs could cause multiple erroneous satellite range measurements. These measurements are used by the GPS MCS in estimating satellite orbits and clocks. • Errors made by the GPS MCS software or hardware due to design flaws or due to equipment failures should be considered. A software design flaw is a software design that is not consistent with the intended software requirement (i.e., the intended algorithm). • A common design flaw in multiple satellites that manifests simultaneously could lead to multiple errors. Credible mechanisms for the simultaneous occurrence of satellite- caused multiple fault conditions have not yet been identified other than signal quality

36 distortions that result in range measurement error biases that significantly differ for UE and MS receivers. These range measurements errors may be handled in the ARAIM protection levels.

2.3.4. Treatment of Multiple Faults in This Report

Multiple-signal fault conditions are not yet fully characterized for all possible causes of such conditions. Needed characteristics include: the a priori fault probability, fault magnitudes, and growth rate. Appendix C discusses several options to address the EOP threat. However, these options are preliminary at this point.

The ARAIM algorithm is described in Section 3, and the corresponding availability results are presented in Section 4. The ARAIM algorithm, described herein, is designed to detect single-fault conditions. Section 3 provides an allocation of the integrity requirements that the probability of multiple-signal fault threats is small. In other words, our ARAIM algorithm and analysis assumes that multiple-fault conditions are mitigated in some other fashion, such as core-constellation design, ground monitoring, and/or separate airborne evaluation of broadcast data. Section 5 provides a preliminary description of suitable ground monitoring strategies. If multiple-signal fault conditions cannot be mitigated by these other means, the ARAIM algorithm may need to be modified to detect multiple failures [Blanch2]. For example, if constellation wide failures are considered credible threats, ARAIM will need to include tests of one constellation’s position estimate against all others (Section 3.4.3 provides an example of an algorithm using such tests). Such a test would decrease overall availability, as each constellation would need to provide a sufficiently accurate position estimate on its own. Availability estimates of the algorithm described in 3.4.3 are given in Lee3.

37 3. ARAIM Basic Concept and Proposed VPL Equations

Conventional RAIM has been used for many years for en route through LNAV approach, and algorithms suitable to perform that function are well known. The GEAS conducted a careful review of the issues associated with the use of RAIM for vertically guided approaches (LPV-200). They concluded that modifications would be needed to the RAIM algorithm in order to ensure satisfactory integrity performance. The four main reasons for this are:

• The design assurance level required to support lateral navigation is major while the level required for vertical guidance is severe-major/hazardous. This increase creates much more strict burdens of proof on the system safety assurance. There are stricter requirements on the hardware, software, and algorithm analyses. Threats need to be evaluated to lower probabilities. • Alert limits for LPV-200 are fairly small compared to those for LNAV approach. As such, the effect of small range errors due to several sources (e.g., errors due to nominal signal deformations, antenna biases) cannot be ignored when analyzing the integrity performance of the algorithm. These small range errors include errors that remain essentially constant throughout the duration of an approach, and therefore cannot be treated as if they were purely random (i.e., uncorrelated over periods of time of 15 seconds or more). • Conventional RAIM assumes that only one satellite can become faulty at a time. This assumption is valid if the intended operations are limited to en route through LNAV approach because the probability of a fault causing a ranging error large enough to cause the position error to exceed the alert limit of 556 m for LNAV approaches (or even larger for en route and terminal navigation) is already quite small. Thus the risk of having two or more satellites with errors hazardous to LNAV is negligibly small. As discussed in Section 2, the risk of multiple faults is assumed to be small but nonzero for LPV-200. This complication results in a different risk allocation. • Additional requirements are imposed on vertically guided approaches such as LPV- 200 operations. For example, the accuracy requirements of en route through LNAV approach operations are sufficiently loose that any reasonable RAIM implementation would always meet them. This is no longer the case when the intent is to support vertically guided approaches.

For these reasons, the GEAS developed a modified RAIM algorithm named Advanced RAIM (ARAIM). This algorithm is still under development and has not yet reached the level of maturity that would be required to standardize the algorithm. However, careful consideration has been given to improvements that address the issues discussed above.

ARAIM has been developed primarily to provide integrity monitoring for LPV-200 operations well before the 2030 timeframe. As described in the Section 1, it would enable smooth incorporation of improvements associated with the modernization of GPS or the other core constellations. However, ARAIM does not depend on the integrity improvements associated with GPS IIIC. Thus it could be used to support LPV-200

38 operations when the Open Service provided by any one of the other core constellations reaches a final operational capability.

Section 3.1 describes the assumptions that derive the ARAIM design described herein. Section 3.2 describes the ARAIM concept. It includes a discussion of techniques to maximize ARAIM availability. It is based on preliminary VPL3 equations that were developed to meet the assumptions described in Section 3.1. Section 3.3 describes more advanced VPL equations for ARAIM that allow more flexible treatment of range biases. These advanced equations use the signal-in-space ranging error characteristics carried by the ISM. As mentioned earlier, the ISM could be broadcast by GBAS, SBAS, future GPS or the other core constellations. Future user equipment would combine the ISM data with error bounds that account for user equipment error, and Section 3.3 describes this combination. Finally, Section 3.4 generalizes our ARAIM algorithm to the multi- constellation setting.

3.1. Assumptions

3.1.1. Satellite Ranging Error Characteristics

For conventional RAIM, it was assumed that satellite ranging errors have a zero mean Gaussian distribution. Such an assumption was more than adequate for the applications for which conventional RAIM was used. However, for ARAIM, the GEAS decided to explicitly consider the presence of biases in the range measurements Examples of such effects are antenna biases [Shallberg] and nominal signal deformations [Mitelman, Phelts2]. The effect of the biases on users with different satellite geometries may be very different. For this reason, the GEAS agreed that the algorithm should protect against the worst case distribution, which occurs when the contributions from these biases to user position error all have the same sign. Explicit consideration of biases may also account for other non-zero mean errors and may provide an alternative means of overbounding the fat tail end of the non-Gaussian distributions. Therefore, each satellite ranging error is modeled as a combination of random and bias components. In the development of ARAIM, the GEAS decided to use a different set of parameters, one for integrity and the other for continuity/accuracy. Integrity directly affects safety-of-life, and so the corresponding calculations overbound the extreme conditions that might affect the integrity of the measurements. In contrast, accuracy and continuity calculations are based on realistic performance estimates. Therefore, two sets of parameters are defined below for random and bias components of the satellite ranging errors and for the airborne error model.

3.1.2. URE

URE is the non-integrity-assured standard deviation of the range component of clock/ephemeris error and is used to evaluate accuracy and continuity performance. In

3 VPL is a high integrity bound on user position error computed by the user equipment.

39 the GEAS Phase I report, ARAIM availability was assessed for a URE value of 0.25 m because it was judged to be the most likely. Since future performance is not precisely known, different URE values are assumed in this report for sensitivity analysis, as will be described in Section 4.

3.1.3. URA

URA is the standard deviation of a distribution that bounds the distributions of the range component of clock/ephemeris error in the absence of a fault condition and is used to evaluate availability of the integrity monitoring function. URA (SISA for Galileo) may be either broadcast from individual satellites or provided to the users via the ISM discussed in Sections 1 and 5. In the GEAS Phase I report, ARAIM availability was assessed for a URA value of 0.5 m because it was judged to be most likely. Since future performance is not precisely known, availability is estimated for a range of different assumed URA values in this report.

3.1.4. Bias in Range Measurements

The GEAS analysis was based on two levels of bias magnitudes. One is a typical magnitude of a bias in a nominal condition. This magnitude is used for the evaluation of accuracy and continuity. The other is the maximum bias magnitude used for the evaluation of integrity. The maximum bias magnitude is the maximum only under fault- free conditions; an integrity fault could cause a bias-like error of arbitrary size. While ARAIM was assessed assuming a nominal bias magnitude of 10 cm and maximum bias magnitudes of 75 cm in the GEAS Phase I report, different maximum bias magnitudes are assumed in this report for a sensitivity analysis, as will be described in Section 4. The nominal bias magnitude is fixed at 10 cm.

3.1.5. Airborne Error Model

In addition to URA or URE, the error in the user receiver range measurement includes tropospheric error, airborne multipath error, and user receiver noise. For these errors, two different airborne error models are used, one set for continuity and accuracy, and the other for integrity in the VPL calculations. These models are described in [Blanch, Lee2].

3.1.6. Satellite Integrity Failure Models

For conventional RAIM, an a priori probability of onset of a fault was assumed to be 10-4 for the set of satellites used in the user position solution per hr [RTCA]. For ARAIM, the integrity failure rate is assumed to be 10-5 per hour per satellite.4 This hourly rate must be converted to a rate per approach. This conversion needs an estimate of the mean time to remove or flag the fault. For the purpose of the current analysis, we assume that the

4 Although the definition of a fault is not identical, the GPS SPS Performance Standard [GPS-SPS] assures that the probability of a major service failure will be less than 10-5/SV/hr.

40 GPS Control Segment informs the user within one hour of the fault onset. This assumption results in an independent integrity failure rate on individual satellites of 10−5 per approach per satellite. We assume that the rate of faults causing multiple simultaneous satellite integrity failures is 1.3 × 10−8 per approach according to [IFOR]. As described in Section 2, a multiple satellite fault may occur when a common mode fault affects multiple satellite range measurements simultaneously or when multiple satellites independently become faulty simultaneously.

3.1.7. Pr{HMI} Requirement Allocation

For conventional RAIM, the Pr{HMI} requirement is allocated equally among faults of all satellites in view, and the probability of multiple satellite faults is neglected. From a Pr{HMI} requirement of 10-7 and an a priori probability of onset of a fault of 10-4/hr for the set of satellites used in the user position solution, the conditional probability of a missed detection (Pmd ) requirement of 0.001 was derived. For Advanced RAIM, the total allowable Pr{HMI} requirement is allocated among three cases as illustrated in Figure 3-1: a fault-free case, individual satellite faults, and multiple satellite faults.

The fault-free case: This case covers the causes of HMI that are due to large random errors that can occur with small probability in the normal operation of the system such as those caused by receiver noise, multipath and inaccurate tropospheric delay estimation along with an unfortunate combination of bias errors.

The individual satellite fault: In this case, the integrity risk is the product of the assumed prior probability of a single fault and the conditional probability that it is not detected by ARAIM and leads to HMI.

Multiple satellite faults: This probability is assumed to be 1.3 × 10−8 per approach (see Section 3.1.6). In ARAIM no attempt is made to detect HMI explicitly caused by multiple satellite faults. Instead, this probability is subtracted out from the total allowable Pr{HMI} requirement so that even if the probability of detecting an integrity failure caused by multiple faults is zero, the total allowable Pr(HMI} requirement is still met. The remaining Pr{HMI} requirement (8.7 × 10−8 per approach) is allocated to the fault-free and individual satellite fault cases.

41

Figure 3-1 Allocation of Pr{HMI} Requirement for ARAIM

3.2. ARAIM Concept

The original RAIM algorithms were proposed to perform a consistency check in the range and position domains in order to provide autonomous integrity monitoring [Lee1]. For conventional RAIM, the least squares residual (chi-square) method (range comparison method) [Brown] and the solution separation method (position comparison method) [Brenner] have been used. ARAIM has been developed by modifying the solution separation method because this method is easier to modify for the purpose of providing enhanced capabilities desired for ARAIM [Blanch1, Lee2].

3.2.1. ARAIM Algorithm

The ARAIM algorithm for the vertical dimension consists of the following:

Full-set vertical solution (Δx)

Δx0 = S0Δr (3-1)

where Δr is the vector of pseudorange residuals and the projection matrix S0 is given by

T −1 T S0 = (G WURAG) G WURA (3-2)

th WURA is a diagonal weight matrix whose n diagonal element is a function of URA and airborne error model assumed for integrity parameter calculation for the nth satellite:

42 1 WURA,n = 2 2 2 (3-3) URAn +σ n,user +σ n,tropo

2 where σ n,user accounts for multipath and user receiver noise.

th n subset vertical solutions (Δxn)

Δxn = Sn Δr (3-4) where the projection matrix

T −1 T Sn = ()G M nWURAG G M nWURA (3-5)

th M n is an (N × N) identity matrix with the n diagonal element zeroed out

th Test statistics for n satellite fault detection (dn):

d n = Δxn − Δx0 (3-6)

th Detection threshold for the n test statistic (D n):

ΔSn = Sn − S0 (3-7)

N Dn = K ffd ,n ×σ dV ,n + ∑ ΔSn (3,i) × Nominal_Bias(i) (3-8) i=1 where

K ffd ,n 's are determined for all n = 1, 2, ... N so as to meet the continuity requirement,

σ dV ,n , which is one standard deviation of dn in the vertical direction, is given by

σ dV ,n ≡ dPn (3,3) (3-9) where

−1 T dPn = ΔSn WURE ΔSn (3-10)

Note that Sn and S0 above are obtained with the same weights. WURE is a diagonal weight matrix that is similar to WURA but based on URE and airborne error model assumed for accuracy/continuity parameter calculations. The variances of the ranging errors are based on the same model because detection thresholds are parameters affecting continuity. For the same reason, the second term of Dn is calculated assuming a nominal bias magnitude.

43 The signs of the bias errors are aligned in the worst manner (i.e., the contributions to vertical position error are assumed to have the same sign). Thus this term ensures that the continuity requirement is met regardless of the actual signs of the bias errors.

The selection of the K ffd ,n 's is discussed below in subsection 3.2.3.

VPL equation

The ARAIM VPL is derived from the fault-free full-set VPL (VPL0 ) and the faulted subset VPL (VPLn ), given as follows:

N VPL0 = K md ,0 ×σ V ,0 + ∑ S0 (3,i) × Maximum_Bias(i) (3-11) i=1 where

Kmd,0 is determined along with Kmd,n’s in VPLn equations to meet the integrity requirement

σ V ,0 ≡ P0 (3,3) (3-12) T −1 P0 = (G WURAG) (3-13)

Since VPL0 is a term affecting integrity, the second term of VPL0 is calculated assuming a maximum bias magnitude. The signs of the bias errors are aligned in the worst manner, i.e., the contributions to vertical position error are assumed to have the same sign. This is done to ensure that the integrity requirement is met regardless of the actual signs of the bias errors.

For the nth subset, N VPLn = Dn + K md ,n ×σ V ,n + ∑ Sn (3,i) × Maximum_Bias(i) (3-14) i=1 where

K md ,n 's are determined along with K md ,0 in the VPL0 equation to meet the integrity requirement.

σ V ,n ≡ Pn (3,3) (3-15) T −1 Pn = (G M nWURAG) (3-16)

Since VPLn is a term affecting integrity, the second term of VPLn is calculated assuming a maximum bias magnitude. The signs of the bias errors are assumed to be such that their contributions to vertical position error have the same sign. Thus, the integrity requirement would be met regardless of the actual signs of the bias errors.

44

3.2.2. ARAIM Availability

Ideally ARAIM is declared available if the following three conditions are satisfied:

• VPL ≤ VAL where VPL = max { VPL0, max(VPLn) } (3-17a) • EMT = max{Dn} ≤ 15 m (3-17b) • 95% vertical accuracy ≤ 4 m (3-17c)

While 95% vertical accuracy is one of the criteria for ARAIM availability, it was found that the pseudorange accuracy models when converted to position domain yielded dramatically larger predicted errors than are actually observed, as was stated in the GEAS Phase I report. Consequently this criterion is not enforced in the current evaluation. Also, the EMT criterion is not constraining. For these reasons, ARAIM availability can be maximized by minimizing VPL as discussed below.

3.2.3. Optimization of ARAIM for Improved Availability

Before optimization is considered, we first consider a baseline ARAIM formula without optimization. From Eqs. (3-7), (3-10), and (3-13), it is observed that there are three sets of coefficient K’s that can be adjusted to change the value of VPL: Kffd,n, Kmd,0, and Kmd,n. The continuity and integrity requirements can be met by selecting these coefficients as follows:

⎛ P ⎞ −1⎜ ffd ,n ⎟ K ffd ,n = −Q ⎜ ⎟ (3-18) ⎝ 2 ⎠ where N ∑ Pffd ,n ≤ Total_Pfa (3-19) n=1 ⎛ Pr{HMI }⎞ −1⎜ fault− free _ case ⎟ K md ,0 = −Q ⎜ ⎟ (3-20) ⎝ 2 ⎠ ⎛ Pr{HMI }⎞ K = −Q −1⎜ n−th _ SV _ fault ⎟ (3-21) md ,n ⎜ ⎟ ⎝ Pa _ priori (n) ⎠ where N Pr{HMI fault− free_case}+ ∑Pr{HMI n−th_SV_fault } ≤ Total _ Pr{HMI} (3-22) n=1 In the above, Q−1 is the inverse of the complement of the one-sided standard normal cumulative distribution function (CDF).

Baseline ARAIM

45

In the baseline case, the total false alert probability requirement is equally divided among the faults of all N satellites in view. That is,

⎛ Total _ P ⎞ −1⎜ fa ⎟ K ffd ,n = −Q ⎜ ⎟ (3-23) ⎝ 2× N ⎠

Likewise the total allowable Pr{HMI} is equally divided and allocated among the fault- free case and the cases in which any single satellite in view has a fault. That is,

−1⎛ Pr{HMI} ⎞ K md ,0 = −Q ⎜ ⎟ (3-24) ⎝ 2× (N +1) ⎠ ⎛ Pr{HMI} ⎞ K = −Q −1⎜ ⎟ (3-25) md ,n ⎜ ⎟ ⎝ Pa _ priori (N +1) ⎠

In the above, Pa _ priori is the integrity failure rate on individual satellites, assumed to be 10−5 per approach per satellite for our availability analysis. If a-priori probabilities are known to be different for different satellites, this knowledge may be utilized when designing the algorithm.

Optimum allocation of the false alert probability

Selection of Kffd,n as in Eq. ( 3-17) gives different values of the test thresholds, Dn, some larger and some smaller. Since VPL is based on the maximum value, VPL can be made smaller by choosing Kffd,n values such that Dn becomes identical for all n = 1, 2, .., N. Such a set of Kffd,n values that makes Dn identical to the extent possible is found via a numerical search. However, the improvement in VPL with an optimum allocation of Kffd,n is not as significant as it is with an optimum allocation of Kmd,n.

Optimum allocation of Pr{HMI}

Like optimum allocation of the false alert probability, Pr{HMI} may be optimally allocated such that VPL0 and VPLn for all n = 1, 2, .. N are identical. Again, this adjustment can be done via a numerical search. Ideally the false alert probability and Pr{HMI} can be optimally allocated simultaneously [Blanch2]. However, this process requires a larger amount of processing time and the gain with such a process is not significant with the current assumptions. For this reason, the ARAIM availability in this report is calculated in two steps by optimally allocating, first, the false alert probability and, then, Pr{HMI} [Lee2].

3.3. Proposed VPL Equations

The VPL equations implemented by the user equipment will employ a mix of information coming from the satellites and from the civil aviation authority approving the approach

46 procedure. Here we have followed the notation used by GPS but the URA value broadcast by the satellite could be replaced by terms appropriate to the other constellations. For example, the proposed Signal-In-Space Accuracy (SISA) would be the corresponding value for Galileo. As will be discussed in Section 5, the approving authority will provide parameters to ensure that the operation meets its targeted level of performance. Two sets of parameters are recommended, one to describe overbounding distributions for expected un-faulted behavior (alpha parameters) and another to describe nominal performance (beta parameters).

There are many possible ways to convey this information, but initially the assumption is that bandwidth will be severely constrained and that a single set of alpha and beta parameters are applied to each constellation. Section 5 describes other options if greater messaging bandwidth becomes available. The first overbounding parameter, α1, scales the URA term describing the overbounding portion of the distribution that can be Root Sum Squared (RSSed) with the other error overbounding distributions. The second two terms describe the overbounding bias term. The first, α2, scales the URA term to contribute to the overbounding bias value. The second, α3, is a constant value independent of the URA. If the errors were perfectly zero-mean, Gaussian, and the magnitude of the URA were adequate, then these values could be 1, 0, and 0 respectively. If the URA does not overbound the error, then α1 may need to be greater than one. If the bias terms are non-zero, then α2 and α3, should be selected to optimally overbound this bias term.

Similarly the beta terms describe the expected, rather than overbounding, performance. They are selected to accurately model the position error so that the detection threshold may accurately be determined. They operate in the identical way as the alpha terms except the resulting sigma and bias estimates are realistic instead of conservative. Each beta parameter is expected to be no larger than its corresponding alpha parameter and is some cases substantially smaller.

When these terms are applied, the corresponding VPL calculation becomes:

Δ=SSSnn −0 (3-26) N 22 222 DKn=Δ××++ ffd,3,1,, n∑() S n i()βσσ URA i trop i user i i=1 (3-27) N +Δ∑ ()SURAni3, ××()ββ 2 i + 3 i=1 N 22 222 VPL0,003,1=××++ Kmd∑() S i()ασσ URA i trop , i user , i i=1 (3-28) N +××+∑ ()SURA03,ii()αα 2 3 i=1

47 N 22 222 VPLnmdn=××++ K,3,1,,∑ () S ni()ασσ URA itropiuseri iin=≠1, (3-29) N +××++∑ ()SURADni3,()αα 2 i 3 n iin=≠1,

VPLARAIM= max VPL n (3-30) nN=0,

The tropospheric variance and user error term in the detection threshold calculation, Dn, may also be reduced to realistic estimates instead of overbounding terms used in the VPL calculations.

The proposed VPL equations above for Dn, VPL0, and VPLn reduce to Eqs. (3-8), (3-11), and (3-14), respectively, with the α and β parameters chosen as follows:

α1 = 1 α 2 = 0 α3 = Max_Biasi URE 1 (3-31) β = i = β = 0 β = Nominal_Bias 1 URA 2 2 3 i i

3.4. Multi-Constellation ARAIM

3.4.1. Background

As reported previously in the GEAS Phase I report and also shown in Section 4, ARAIM cannot provide a worldwide LPV-200 capability for civilian aviation with the desired availability without a significantly larger number of operating satellites than expected from the currently planned modernized GPS constellation of 27 satellites in nominal orbital positions. This single-constellation availability shortfall exists even when a rather aggressive set of assumptions is used. ARAIM performance depends strongly on the number of satellites in view of the user, which in turn, depends on the size of the constellation. If two or more GNSS core constellations could be used in combination, RAIM integrity performance and availability can be improved significantly. For this reason, civil use of ARAIM seems to need multiple constellations. However, military use of ARAIM may be well served by the GPS constellation alone, and this possibility is described in Section 8.

As described in Section 1, new satellite navigation systems are currently under development. These include Galileo being developed by Europe, GLONASS by Russia, and Compass by China. They are in different stages of their development. However, one or more of them will certainly have 24 to 30 satellites within a decade broadcasting signals near the GPS L1 and L5 frequencies.

In order to correctly estimate multi-constellation ARAIM performance, we require reasonably accurate values for the following parameters:

48 • A-priori GNSS satellite signal fault rate • Probability of multiple signal faults occurring due to a common-mode failure • Duration of fault present before it is removed or notified to the user • Signal-in-space error statistics (e.g., URA, URE, maximum bias magnitude and nominal bias magnitude) These values are needed for each GNSS constellation used by multi-constellation ARAIM. As described in Section 1, these parameters must be thoroughly validated before they can be accepted by the civil aviation authorities approving the use of ARAIM for LPV-200 approaches. The ISM is an interface that enables the communication of this data during ARAIM operations. This interface will be discussed further in Section 5.

3.4.2. Multi-constellation ARAIM formulas

ARAIM formulas shown in Eq. (3-1) to Eq. (3-16) can still be used for multi- constellation except that the observation matrix G needs to be slightly modified as follows.

When ARAIM uses a single constellation, the observation matrix G is expressed as

T ⎡e1 −1⎤ ⎢ T ⎥ e −1 G ≡ ⎢ 2 ⎥ ⎢ .. .. ⎥ ⎢ T ⎥ ⎣eN −1⎦

th where ek is the direction cosine to the k satellite and the last column is used to take into account the time offset of the user receiver clock from the given GNSS core constellation time.

When the second GNSS core constellation is used with the first, the difference between the first and second GNSS system clocks needs to be taken into account. One way of handling this offset is to broadcast the clock difference to the user, and account for its expected uncertainty in the calculation of the weight matrix element for the range measurement to each of the satellites in the second GNSS constellation. Alternatively this offset may be treated as a fifth unknown. This latter approach is used for the ARAIM availability results shown in Section 4. In this case, the G matrix is expressed as

49 ⎡⎡ 0⎤⎤ ⎢ ⎥ ⎢ 0⎥ ⎢⎢G ⎥⎥ ⎢⎢ 1 ..⎥⎥ ⎢⎢ ⎥⎥ ⎢⎣ 0⎦⎥ G= ⎢ 1 ⎥ ⎢⎡ ⎤⎥ ⎢⎢ ⎥ ⎢ 1⎥⎥ ⎢ G2 ⎥ ⎢⎢ ..⎥ ⎢ ⎥⎥ ⎣⎢⎣ 1⎦⎦⎥

where G1 and G2 matrices are for GNSS-1 and GNSS-2, respectively, and the 1’s in the last column are used to take into account the time offset between the GNSS-1 and GNSS- 2 system clocks. Each time a new GNSS core constellation is added, G is expanded in the same manner with an additional column.

3.4.3. Inter-Constellation Comparisons

As a first possibility, the GEAS considered one user algorithm called the Optimally Weighted Average Solution (OWAS) method for comparing one constellation to another and this is well described in [Lee3]. OWAS provides the ability to handle multiple as well as single faults when two independent constellations (e.g., GPS and a second GNSS) are used in combination. It does require that the faults are limited to satellites in a single constellation at a time. This method can provide integrity in the presence of multiple faults including those causing consistent ranging errors from use of erroneous earth orientation parameters, for example, by the GPS operational control segment.

The initial OWAS design assumed that the probability of a single fault or multiple faults -4 in a single constellation was no larger than 10 per approach and required maximum Pmd of 4×10-4. As illustrated in Figure 3-2, the OWAS navigation solution is a weighted average of the two independent position solutions, one using GPS and the second GNSS (GNSS-2) satellites, for example. The detection threshold and protection levels (HPL and VPL) are first expressed in a manner similar to the solution separation method [Brenner] as a function of the weights. The weights are then optimized to deliver as high availability as possible by trading accuracy for a reduced protection level while meeting all of the integrity, continuity and accuracy requirements.

50 GPS Solution Galileo Solution

d2 d1

X x2 x1 A (Weighted Average)

w 1 x 1 + w 2 x 2 w1 x A = = r x1 + (1− r) x 2 where r = w1 + w 2 w1 + w 2

w 1 : Weight for GPSSolution

w 2 : Weight for GalileoSolution

Figure 3-2. Formulation of Optimally Weighted Average Solution (OWAS)

OWAS provides a capability to provide integrity in the presence of multiple faults in a single constellation including those worrisome consistent faults discussed in Section 3. This capability could also be achieved by adding constellation wide failures in the ARAIM algorithm described above [Blanch]. The GEAS is continuing to evaluate the best choice of methods to address this threat, and the final answer may be some combination of ground, satellite, and/or airborne algorithm.

51 4. ARAIM Performance and Availability Results

This section first presents ARAIM availability results when using GPS and the second GNSS (GNSS-2) constellations in combination and using the multi-constellation ARAIM formulas described in Section 3. The ARAIM integrity performance (i.e., probability of missed detection) in the presence of correlated faults is then presented. The result shows the impact of consistent faults discussed in Section 3 on ARAIM integrity performance.

4.1. ARAIM Availability Results

ARAIM availability results with GPS alone presented in the GEAS Phase I report are shown in Table 4-1. In that analysis, our goal was to provide 99.5 percent availability over a very high fraction of the globe (e.g., 99 to 99.9 percent of the area between 70°S and 70°N). To reach that goal, the results show that we require at least 30-satellite GPS satellites in optimized orbital positions. The details of the constellation considered in Table 4-1 are given in the Phase I Report.

Table 4-1. Percentage of the Globe Between 70°S and 70°N That Has a 99.5% ARAIM Availability of LPV-200 Based on URA = 50 cm, URE = 25 cm, Maximum Bias = 75 cm, Nominal Bias = 10 cm (from the GEAS Phase I Report).

Constellation 24 minus 24 27 minus 27 30 minus 30 1 SV 1 SV 1 SV Percentage 7.80 44.7 30.6 94.1 90.5 100

For evaluation of ARAIM availability using GPS and GNSS-2 constellations together, the GEAS decided to assume the following three dual constellations with different numbers of satellites operating in each constellation: • 18 GPS + 18 GNSS-2 satellites • 21 GPS + 24 GNSS-2 satellites • 21 GPS + 21 GNSS-2 satellites Reduced constellations have two possible meanings. First, a reduced constellation may be available years before the respective constellations are fully populated. Second, it may be due to strong fluctuations in the size of an otherwise mature constellation.

The above listed constellations are subsets of an optimized final constellation with an equal number of satellites from different orbital planes. Within an orbital plane, the satellites are equally separated as much as possible. These constellations are shown in Figures 4-1 and 4-2 for GPS and GNSS-2, respectively, for the dual constellation of 18 GPS and 18 GNSS-2 satellites, as an example. The satellite orbital positions in the other two constellations are selected similarly.

52

Figure 4-1: Selected 18 GPS Satellite Orbital Positions5

Figure 4-2: Selected 18 GNSS-2 Satellite Orbital Positions

Along with the reduced satellite constellations, we also analyzed sensitivity to different combinations of values for URA, URE and maximum bias magnitudes. The chosen URA values range from the 0.5 m value assumed in the GEAS Phase I report to the 2.4 m value most commonly observed value for GPS. Support for these values is given in Section 6 of this report. URE is taken to be half of each URA value. The nominal bias magnitude is fixed at 0.1 m, as assumed in the GEAS Phase I report. With a URA of 0.5 m, the maximum bias magnitude of 0.75 m is used. With larger URA values, a somewhat

5 The geodetic longitude of ascending node (GLAN) in Figures 4-1 and 4-2 is relative to the Greenwich meridian.

53 smaller maximum bias magnitude of 0.5 m is assumed. For the three different dual constellations and for five different combinations of values for URA, URE and maximum bias magnitudes, Table 4-2 shows the percentage of the globe between 70°S and 70°N that has 99% and 99.5% ARAIM availability of LPV-200 as an average over a period of 10 days obtained using the multi-constellation ARAIM formulas described in Section 3.

Table 4-2. Percentage of the Globe Between 70°S and 70°N That Has 99% and 99.5% ARAIM Availability of LPV-200 with Different Sets of Combined GPS and GNSS-2 Constellations (Nominal Bias magnitude = 10 cm for all cases)

Case constellation 99% 99.5% Case #1 18 GPS GPS & GNSS-2: URA = 0.5 m 18 GNSS-2 97.9 79.0 URE = 0.25 m, 21 GPS MaxBias = 0.75 m 21 GNSS-2 100 100 21 GPS 24 GNSS-2 100 100 Case #2 18 GPS GPS & GNSS-2: URA = 1 m, URE = 0.5 m, 18 GNSS-2 83.4 63.1 MaxBias = 0.5 m 21 GPS 21 GNSS-2 100 100 21 GPS 24 GNSS-2 100 100 Case #3 18 GPS GPS & GNSS-2: URA = 2.4 m, URE = 1.2 m, 18 GNSS-2 15.7 9.6 MaxBias = 0.5 m 21 GPS 21 GNSS-2 97.9 79.1 21 GPS 24 GNSS-2 100 97.9 Case #4 18 GPS GPS: URA = 1 m, URE = 0.5 m, 18 GNSS-2 36.0 19.1 MaxBias = 0.5 m 21 GPS 21 GNSS-2 100 98.8 GNSS-2: URA = 2.4 m, URE = 1.2 m, 21 GPS MaxBias = 0.5 m 24 GNSS-2 100 99.9 Case #5 18 GPS GPS: URA = 2.4 m, URE = 1.2 m, 18 GNSS-2 49.5 38.6 MaxBias = 0.5 m 21 GPS GNSS-2: URA = 1 m, URE = 0.5 m, 21 GNSS-2 100 97.8 MaxBias = 0.5 m 21 GPS 24 GNSS-2 100 99.6

54 Case 1 in Table 4-2 with the constellation of 18+18 satellites may be compared with the results in Table 4-1, because they use the same combinations of URA, URE, maximum bias and nominal bias magnitude values with the same availability goal of 99.5%. Even though there are a total of 36 satellites in the combined constellations, the coverage of 79 percent for case 1 for 99.5% availability in Table 4-2 is significantly lower than the results of 94.1 percent and 90.5 percent for the 27 and (30 minus 1 satellite) optimized GPS constellation cases in Table 4-1. With increased values of URA and URE values, coverage degrades very quickly. In case the availability goal is reduced from 99.5% to 99%, the percentage of coverage becomes somewhat better but still not sufficient for civil aviation.

These disappointing results for 18+18 may be explained as follows. First, while the 18 satellites were selected to be as uniformly spaced as possible in each constellation, their orbital positions are not optimized between the two constellations. Second, when two constellations are used, the time offset between the two has to be taken into account. Thus the receiver must solve for five variables instead of four.

Table 4-2 shows that the number of satellites required in the dual constellation to provide a sufficiently high global coverage depends on what one may assume for the URA, URE, and maximum bias magnitude values. Specifically,

• Even with 99% availability threshold, a global coverage of 99 percent or higher cannot be provided with a dual constellation with 18+18 satellites. • With 99% availability threshold, a global coverage of 100 percent can be provided with a dual constellation with 21 GPS and 24 GNSS-2 satellites. The same high level of coverage can be provided with a dual constellation with 21 GPS and 21 GNSS-2 satellites for all but Case #3. • With 99.5% availability threshold, a global coverage of 99.5 percent can be provided with a dual constellation with 21 GPS and 24 GNSS-2 satellites for all but Case #3. The same level of coverage can be provided with a dual constellation with 21 GPS and 21 GNSS-2 satellites only for Case #1 and Case #2.

Figures 4-3 and 4-4 show the variation of ARAIM availability over the globe for Case #1 (most optimistic) and Case #3 (most pessimistic), respectively, with the 18+18 constellation, as an example. The figures show that there is a large variation of availability in each case. In particular, the maps show the best service near the equator. It is noted, however, that these availability numbers were estimated ignoring scintillation, which is ‘worst’ near the equator [El-Arini, Seo]. Therefore, putting these observations together implies that the coverage that we will have in real worldwide operations are likely somewhat lower than the coverage estimates shown. While not shown the plots for the other two dual constellations exhibit similar characteristics.

55

GPS Galileo URA URE maxBias URA URE maxBias 0.5 0.25 0.75 0.5 0.25 0.75

Figure 4-3 ARAIM Availability Over The Globe for Case #1 with 18 GPS and 18 GNSS-2

GPS Galileo URA URE maxBias URA URE maxBias 2.4 1.2 0.5 2.4 1.2 0.5

Figure 4-4 ARAIM Availability Over The Globe for Case #3 with 18 GPS and 18 GNSS-2

56

4.2. Impact of Correlated Faults on the ARAIM Integrity Performance

As stated in Section 3, an underlying assumption of the ARAIM analysis is that multiple satellite faults occur with a probability no greater than 1.3×10-8 per approach. With such a small probability of multiple satellite faults, the overall Pr{HMI} requirement can be met even if ARAIM’s probability of detecting an integrity failure caused by multiple faults is zero. However, as discussed in Section 2, faults causing correlated ranging errors from the use of erroneous values by the GPS operational control segment might occur. These might include faults in the earth orientation parameters or the monitor station antenna phase center positions. It may not be possible to rule out such faults with the required level of assurance.

The impact of correlated faults on ARAIM integrity performance is evaluated below under the assumption that there are no other ways of preventing correlated faults with the required level of assurance. For example, our analysis gives no credit for mitigation from the OCS Kalman filter’s comparison of expected and actual range measurements. The OCS Kalman filter’s comparison of expected and actual range measurements from monitor stations to satellites would detect such an error as long as no software design flaw is present. However, no credit can be given unless the OCS software is qualified to level 2 of DO-278. Among the correlated faults, the impact of erroneous earth rotation rate appears to be most severe. For this reason, the results are shown for this case below.

Figure 4-5 shows a result obtained from the use of a GPS-only constellation with all satellite orbit parameters corrupted by an erroneous earth rotation rate. With this type of fault, the full-set solution and all subset solutions deviate from the truth in the ECEF frame by the same amount of longitudinal error and are thus perfectly consistent with each other; therefore, no detection flag will be raised. This situation effectively causes the earth to rotate underneath the satellites so that satellite positions become incorrect in an ECEF frame unless they are at the poles. Since the position estimates deviate only longitudinally, while the vertical position error is zero, the horizontal error grows in the East-West direction at a rate proportional to the error in the earth rotation rate. In short, there will be no detection of horizontal position error with Pmd being equal to one.

57

Figure 4-5 ARAIM Performance with 24 GPS Satellites Affected by Erroneous Earth Rotation Rate

Figure 4-6 shows a result obtained from use of combined GPS and GNSS-2 constellations with all GPS satellites affected by an erroneous earth rotation rate but none of GNSS-2 satellites affected. As shown, Pmd is still significant for some geometries with (24−1) GPS satellites and (27−1) GNSS-2 satellites. In this analysis, a missed detection event is defined to occur when the position error exceeds the protection level (i.e., HPL) while no detection flag is raised.

From the above analysis, it can be stated that even multi-constellation ARAIM described in Section 2.5 cannot (without modification) provide adequate integrity when the erroneous earth rotation rate parameter causes consistent errors even if another constellation free from such a fault is used in combination.

58

Figure 4-6 ARAIM Integrity Performance Using Combined (24–1) GPS and (27–1) GNSS-2 Satellites With All GPS Satellites Affected By Erroneous Earth Rotation Rate

59 5. ARAIM Support: Ground Monitoring and Data Link

This section describes the ground monitoring needed to develop the ISM and the data links that may be suitable to communicate this message to the aircraft. ARAIM, including such ground monitoring and the ISM, addresses two related concerns: system assurance and sovereign control. In order to approve vertically guided procedures in a given airspace, the cognizant Civil Aviation Authority (CAA) must be confident that the navigation system conforms to all requirements. The CAA needs a mechanism to monitor the performance of the satellites used by ARAIM in the aircraft.

The sought after monitors should update the ISM periodically and should conform to the Design Assurance Level (DAL) that is appropriate for the failure condition associated with an integrity fault during LPV-200 operations. For vertical guidance down to 200 feet, the failure condition associated with an integrity fault is Hazardous/Severe-Major, and the corresponding DAL is Level 2 of DO-278 (equivalent to Level B of DO-178B). This is more stringent than for conventional RAIM, which only supports LNAV approaches. For LNAV, an integrity fault is only a Major failure condition.

As described in Section 3, the protection level equations depend on several parameters to determine the corresponding upper bound on position error. These parameters include: • tropospheric bounding variance • URA • user error bounding variance • bias bounds • probability of fault.

The tropospheric variance and user error bounds have been previously developed as part of Level 2/B assured systems and so will not be further discussed in this report.

The remaining terms must be assured to meet the full system DAL. If the satellite errors are not adequately bounded or if faults are more likely to occur than assumed, the probability of hazard associated with the protection level will not be correct. The URAs for today’s GPS constellation are not generated with an assurance level compatible with Level 2/B. As described in Appendix A, plans exist to upgrade the software assurance level associated with the GPS ground control segment, but these will not be implemented until the GPS III C time frame after 2030. Until that time, independent monitoring and generation of the ISM is certainly needed. Moreover, some nations may prefer monitoring that is independent of the core constellations. For them, independent monitoring and ISM generation may be a long term solution.

The next two sections discuss ground monitoring, data links and message structures to assure the integrity information for the users.

5.1. Ground Monitoring

60 Ground monitoring of the GNSS errors serves two purposes. In real-time, it identifies threats that may affect aviation integrity. In the longer term, it can observe the satellite performance characteristics and determine if they are compatible with the system design parameters. For GPS, faults are infrequent and nominal performance is very accurate. RAIM and ARAIM exploit this behavior by assuming the majority of satellites are well behaved and looking for outliers. With ARAIM, the real-time identification of faults, therefore, is primarily assigned to the aircraft. However, faults must be identified when they occur, and the troubled satellites must be removed before new faults occur. The ARAIM algorithm described in Section 3 and existing aircraft RAIM algorithms expect only one fault to be present at a given time. Additionally, the nominal behavior of the un-faulted satellites must be consistent with expectations for the protection level equations to be valid.

As described in Section 2, the ARAIM threat list may need to include multiple consistent faults within a constellation. An important consideration is the possible error growth rate of these faults and their potential correlation across independent GNSSs. Ground monitoring combined with the airborne ARAIM algorithm must fully mitigate all worrisome faults to within the required probabilities. Thus, the ground monitoring requirements need to be developed in coordination with the fault models and the aircraft algorithm. This section is based on the following assumptions:

• Faults may occur with low probability either independently per satellite or affecting a whole constellation. • Self-consistent faults affecting multiple constellations simultaneously are either sufficiently improbable or sufficiently slow growing as to be able to be alerted by the ground monitoring to the aircraft. • Upon detecting a fault, the aircraft will either: isolate the faulty satellite/constellation and hold it out until it can be safely assured to be un- faulted; or discontinue the operation until isolation can successfully be accomplished. • The required Time-To-Alert (TTA) from the ground monitoring system to the aircraft can be tens of minutes or longer.

With these assumptions, the aircraft algorithm has responsibility for detecting real-time faults. The ground monitor removes faults based on a longer time-to-alert (TTA) associated with the growth of multiple faults. This TTA is assumed to be tens of minutes or longer. The probabilities of fault used by the aircraft are correct in the long-term, and the nominal and overbounding distributions are correct in the long-term.

Given the protection level equations of Section 3, ground monitoring is in place to assure six parameters: the overbound of the satellite error variance, the overbound of the satellite error bias, the nominal satellite error variance, the nominal satellite error bias, the probability of fault for the satellite, and whether the satellite currently conforms to the previous five parameters. (In addition, as discussed in Section 2 and Appendix C, ground monitoring may be needed to ensure that multiple-signal fault conditions are adequately mitigated.) The first two parameters provide integrity bounds on the satellite error

61 distribution. The second two parameters describe the nominal performance and are intended to ensure the algorithm meets its continuity requirements. The fifth parameter also affects integrity as the probability of fault is used to determine Kmd. The last parameter ensures that the first five are valid and are expected to remain so for the duration of the TTA. Depending on the development of threat models other parameters may require ground assurance such as the probability of a consistent constellation wide failure.

5.1.1. Ground Monitoring by a Single Station

Ground monitoring may be performed by a single reference station; however, its area of coverage may be limited. The reference station would use its surveyed location to determine whether faults exist on the satellites. Because the reference station location is known, satellite errors may be more easily identified on the ground than on the aircraft. The aircraft algorithm is also detecting faults, therefore, the reference station has time to make its determination of the satellite behavior. Current augmentation systems must meet TTAs of only a few seconds and therefore must make decisions based on a single epoch worth of measurements. However, ARAIM support ground monitoring will likely have a TTA measured in hours. Therefore, many epochs worth of data can be combined to evaluate ranging performance. This will also allow a single reference station to extend its area of coverage as ephemeris errors, and other satellite faults that vary with distance to the station, become more observable over time. The exact area of coverage will depend on the fault models and the aviation algorithm, but a radius extending out hundreds of kilometers may be feasible.

The reference station should also evaluate the error distribution from each satellite over time and decide if the specified bounds on variance and bias are valid. If the satellite conforms to the expectations of the airborne algorithm then the ground monitor can flag it as acceptable. If it does not, the monitor can flag it as unusable or perhaps indicate larger bounds that are compatible with the ground observations and aircraft assumptions. The performance of the ground monitor will have to be sufficiently accurate to support the specified satellite parameters. Further, the ground station will have to separate its own local errors from the desired signal in space errors. A single reference station may not be sufficient to fully characterize long-term behavior as some faults and variations in un- faulted performance may occur out of view of the station. Thus, such characterization may also be based on the operation of other reference stations.

Such a ground monitor would share many characteristics with today’s GBAS which serves as a logical starting place for development. However, there are significant differences. Most obviously, the system would be dual frequency and multi- constellation. It also will not be generating differential corrections and there will be an enormous relaxation of the TTA. These latter two changes may make the implementation of the system considerably simpler than for existing GBAS. However, as mentioned earlier, the requirements on the ground monitoring will evolve in parallel with the precise airborne algorithm and the threat models.

62

5.1.2. Ground Monitoring by a Network

Another option for ground monitoring is to combine a network of receivers together to observe satellite behavior. The advantages of this approach are that fewer receivers may be needed to cover a given area and local errors may be more easily separated from signal in space errors. The disadvantage is that the installation of such a network requires greater time and effort than to install a single station. Here the obvious starting point would be an SBAS as it already consists of a linked network or receivers. The requirements of what is to be monitored are the same as for the single reference station. The main differences are that a larger area can be covered and measurements from more receivers are available to make the evaluations. If the network is not global, the same concern over inability to observe unusual satellite behavior occurring out of view also exists. The development of the threat models will determine whether in-view observations can represent a sufficient sampling or whether full characterization of performance requires contributions from other networks.

5.2. Message Content

Previously six parameters were defined to be the object of ground monitoring. These parameters are: • overbound of the satellite error variance • overbound of the satellite error bias • nominal satellite error variance • nominal satellite error bias • probability of fault for the satellite • flag indicating whether the satellite conforms to the above five parameters. Changes to this list are possible as the threat model and airborne algorithm evolve.

There are still many architectural options as to how this information is generated and transmitted to the user. One option is that the first five parameters are entirely generated and communicated by each GNSS core constellation. In this case, the ground monitoring simply evaluates whether satellite is expected to continue to behave in accordance with those parameters and broadcasts a flag for each satellite indicating whether or not it may be safely used. Another option would be to have the ground monitor generate all six parameters for each satellite and transmit them to the user. These options represent two extremes for data transmission from the CAA to the aircraft. A more likely scenario may have some of the data transmitted by the GNSS provider (e.g. the overbound of the satellite error variance), some of the data specified in interface specification documents (e.g. the probability of fault for the satellite), and the remainder transmitted by the CAA.

5.3. Data Links and Message Structures

This subsection will explore the range of data links that may be required to get the required data to the user. The best data link for a single reference receiver monitor will

63 likely also be a local data link such as the VDB developed for GBAS. A large network of reference receivers may be better served by satellite delivery such as the geostationary satellites used by SBAS. Given that GBAS and SBAS are potential starting points for the ground monitoring systems, we shall now explore their data links as possibilities for transmitting data to the user.

5.3.1. Candidate Data Links

The VDB used by GBAS has approximately 4 kilobits per second (kbps) of bandwidth per channel, but the available capacity may be somewhat limited due to the existing GBAS data and spectrum congestion. Thus, the available capacity of this channel could be as large as 4 kbps, but in practice only a small fraction of that may be available for the ISM. The SBAS data link is through the geostationary satellite, and it has a 250 bit per second (bps) capacity. Again the majority of this is committed to SBAS data content. If required, a second channel (a separate PRN number) may be made available, but this would incur significant cost and coordination. Again, the more likely availability is a small fraction of 250 bps.

Another possible data link is through the GNSS satellites. GPS has limited bandwidth (about 50 bps) most of which is reserved for other use, but some may be made available. Other digital communication links exist to modern aircraft, but it is not known if these have the integrity needed for navigation services. Therefore, Section 5.3.2 considers messaging bandwidths ranging from a fraction of 50 bps (GPS navigation message) to 4 kbps (GBAS data link).

5.3.2. Message Structure and Capacity

One Bit Per Satellite

The smallest amount of information required to be broadcast would be a single bit per satellite indicating its usability. If each GNSS satellite broadcasts its own flag then one additional bit would be needed per satellite. Since the ground TTA is very large, the update rate is determined rather by the required time to first fix, which should be no greater than one to five minutes. It is reasonable to assume that one spare bit per five minutes could be found on each GNSS satellite message stream including the GPS navigation message. This idea is also mentioned in Appendix A, where the single bit indicates whether or not the URA broadcast by modernized GPS is assured to the 10-5 level or the 10-7 level. These ideas are promising. However, they do not provide a local or direct sovereign mechanism to communicate the integrity status of the satellite or constellation. Thus, we now consider regional or local data links.

The SBAS and GBAS data links provide regional control, but now a single data link must transmit flags for all satellites. In the case of WAAS a single message contains 212 usable data bits which would easily accommodate a flag per satellite for all envisioned

64 constellations. If such a message were sent once every one to five minutes, the total bandwidth used would be less than 5 bps.

Multiple Bits Per Constellation

Section 3 describes a method for error overbounding and describing nominal errors. It uses six broadcast values per constellation. These six parameters allow for more flexibility in the event that the GNSS broadcast numbers do not fully meet the requirements that trigger a single bit failure flag. As such, they allow greater potential to achieve high availability rather than being limited a simple use/don’t use option. In addition, they allow the use of satellites that meet the requirements of the GNSS service providers, but need degraded error bounds to be used by aviation. Similarly, they also allow aviation systems to decrease protection levels should the GNSS service provider be needlessly conservative. Such flexibility is prudent even if it is not yet known whether it is needed. The six parameters can always be set to values to simply match the originally broadcast GNSS values.

Each of the six parameters can be specified using just a few bits. Eight bits per value would permit 256 distinct values for each parameter and would allow the six parameters for each of four constellations to fit within a single SBAS message. Thus, this additional flexibility would at most double the required bandwidth to between approximately 1.7 to 8.3 bps.

Multiple Bits Per Satellite

Even greater flexibility can be obtained by transmitting the first four parameters on a per satellite rather than on a per constellation basis. This protocol would afford higher availability because the overbounding values used in the algorithm will more closely match the true value assured by the ground. In addition, a problem with one satellite will not increase the integrity bounds on others.

This method increases the required bandwidth. Assuming 6 bits per parameter means that 8 satellites can be updated per SBAS message. Depending on the number of satellite in view of the ground monitor between four and sixteen additional messages will need to be sent. Assuming a mid range value of ten total message per one to five minutes implies a total bandwidth usage of between 8.3 to 42 bps. This is probably too large to absorb into the spare capacity of the SBAS channel although it may still be possible to include on the GBAS channel. For this reason, Section 3 examines the multiple-bits-per- constellation protocol as being a good trade between flexibility and bandwidth. As the architecture is refined, this choice can be revisited and properly optimized to the available bandwidth

65 6. Validation of the URA

User Range Accuracy (URA) describes a portion of the ranging error from the GPS satellites to the user receivers. Specifically, the URA is intended to bound the portion of the ranging error that originates from the ground control segment and/or the satellite segment. Thus, it is primarily directed at errors in the clock and ephemeris parameters that are broadcast as part of the GPS navigation message, although all satellite errors must be included.

For ARAIM, this URA must be assured in order for the VPL defined in Section 3 to provide navigation integrity. The URA on healthy satellites must be bounded under nominal conditions. In addition, the a priori failure rate must also be well estimated, because it is also used by ARAIM. As discussed in Section 2, the definition of failure for precision LPV-200 approach is substantially more stringent than what is used in today’s RAIM schemes that provide only non-precision approach. Clearly any fault that creates a five-sigma or greater error has the potential to create HMI. However, smaller faults can also cause HMI if they occur with greater frequency than predicted by Gaussian statistics. In addition, the correlation between measurements, i.e., the behavior of multiple distributions also need to be evaluated under both nominal and failure conditions.

Section 6.1 describes the current definitions of URA, and points out that the current definitions are in need of harmonization. It also offers to harmonize these definitions based on a set of tests that compare the Instantaneous User Range Error (IURE) to the broadcast URA. Section 6.2 presents a method to compute the IURE needed for the above mentioned test and how to execute the URA performance tests. Finally, Section 6.3 gives example results based on an evaluation of GPS during the years 2008 and 2009.

6.1. Evaluation Criteria

Existing documents do not specify how to use the URA information broadcast by GPS to create an assured bound on the user position errors. This section discusses how the existing requirements could be evaluated via data monitoring to help assure that the final bound in the position domain is safe.

6.1.1. Existing Statements

There are several statements about the URA in the current GPS SPS PS and the GPS III specifications documents. Unfortunately, they are not always consistent with each other nor are they clear as to their implications and use. The most relevant statements for safety analysis are listed below: 1. URA bounds on healthy satellites a. The URA is a conservative representation of the expected Root Mean Square (RMS) of the Instantaneous User Range Error (IURE).

66 b. The probability of the IUREi exceeding 4.42 × URAi without a timely alert is less than 1 × 10-5 in any given hour.

c. If the integrity flag is set to true, the probability of the IUREi exceeding 5.73 × URAi for more than 5.2 seconds without switching to non-standard code (NSC) is less than 1 × 10-8 in any given hour. 2. Major Service Failure

a. The probability of a major service failure defined as an event of IUREi -5 exceeding 4.42 × URAi is less than 1.4 × 10 per satellite in any given hour. This implies an average of 4 major service failures per 32-satellite constellation per year. b. The maximum duration of any major service failure is 6 hours. c. The probability of simultaneous faults on multiple satellites is below 5 × 10-9/hour.

It is clear that the URA is thought of as a one-sigma number that conservatively describes an error that is close to Gaussian (i.e. the actual sigma is less than URA). However, the above statements do not provide assurance that this is strictly the case. Thus, these statements need to be transformed into criteria that can be assessed in real time.

6.1.2. URE Performance Criteria

The tests listed below transform probabilities into unambiguous exceedance rate tests. In general, statements that invoke probabilities can be difficult to evaluate. However, the following statement do yield such a transformation under the following assumptions: the instantaneous ground and space segment errors, IUREi, are conservatively described by independent, zero-mean Gaussian variables given by N(0, URAi); and the errors are ergodic and have relatively short correlation times [reference T. Walter]. Under these condition, the following tests would confirm that statements in Section 6.1.1 are met [reference T. Walter].

1. Behavior of individual distributions a. The RMS of IURE/URA over any given day shall not exceed 1 b. The absolute mean value of IURE/URA shall not exceed 0.5 over any given day c. The absolute value of any IURE shall not exceed the URA for more than 7.7 hours in any given day d. The absolute value of any IURE shall not exceed 1.96 × URA for more than 1.2 hours in any given day e. The absolute value of any IURE shall not exceed 3.29 × URA for more than 43 minutes in any given 30 day period f. If the integrity flag is set the absolute value of any IURE shall not exceed 4.42 × URA for more than 315 seconds in any given year.

67 g. If the integrity flag is set, the absolute value of any IURE shall not exceed 5.73 × URA for longer than 5.2 seconds at any time or location 2. Behavior of multiple distributions a. The square-root of the normalized sum of any 10 squared errors, removing an average value, shall not exceed 6.27 for more than 315 seconds in any given year. b. The square-root of the normalized sum of 10 squared errors, for satellites with the integrity flag set, removing an average value, shall not exceed 7.08 for longer than 5.2 seconds. 3. Major Service Failures a. In evaluating the above tests, up to four segments of data may be excluded. A segment consists of a continuous set of IUREs from a particular satellite. All IUREs from the satellite to any user are removed for the segment. Segments can only be removed from satellites when the integrity flag is not set to 1. The same four segments must be used for all evaluations within a year. b. The maximum duration of each removed segment is six hours. No more than six contiguous hours of data may be removed in any individual instance. c. The segments may not overlap. When one segment is removed for an individual satellite, no other healthy satellite’s data may be removed at the same time.

From a rigorous point of view, these tests are not sufficient to establish Gaussian bounding on the IUREs. However, they are satisfactory if some modest assertions are accepted. Our argument utilizes the the concept of paired bounding ([Rife]). By evaluating the data at discrete probabilities as specified in Section 6.1.2 we are able to constrain the Cumulative Density Function (CDF) of the errors. Paired bounding maintains the convolution of a right bound would stay to the right of the convolution of any distribution in the acceptable CDF region. If a similar left bound is assumed to be applied as well, it restricts the acceptable CDF region further. These right and left bounds are established by the monitoring described here and the biased Gaussian model used to form the VPL.

6.2. Validation Method

In this subsection, IUREs are defined and computed. These definitions are needed to test whether the instantaneous ground and space segment errors meet the performance criteria listed in Section 6.1.2,. The IURE, traditionally signal-in-space error, includes satellite clock and ephemeris error, satellite antenna phase and group delay variations, code- carrier incoherence, signal deformation, relativistic correction errors, and any inter-signal errors induced on the satellite. Among these error sources, the main contributions of the IUREs are the satellite position error and the satellite clock error. The IURE is then

68

IURE=++ errSV___ clock err SV eph err SV antenna + err deformation ++ err smoothing errothers (6-1)

The last four terms are expected to be near zero except under satellite fault conditions. The first two terms, the clock and ephemeris errors, are often expressed as radial (εrad), along-track (εatrk), cross-track (εxtrk), and clock (εclk). The instantaneous user clock and ephemeris error is given by

ε clk/_ eph user=+εθεθφεθφε radcos atrk sin cos + xtrk sin sin − clock (6-2)

The angle θ is defined to be the angle between the line connecting the satellite and the user, and the line connecting the satellite to the center of the Earth. The angle φ is the angle between the line connecting the satellite and the user, and the orbital plane of the satellite, both projected into a plane perpendicular to the line connecting the satellite to the center of the Earth.

6.2.1. IURE Computation Method

Two methods to calculate IURE are presented in this section. One is called top-down, which is based on high data rate dual frequency measurements obtained from the Wide Area Augmentation System (WAAS) or the National Satellite Test Bed (NSTB) networks. The IUREs of a satellite are obtained by stripping off all errors that are not part of the SIS errors. The following non-SIS errors are removed: ionosphere and troposphere delays, multipath error, and receiver clock error. The top-down algorithm forms dual-frequency ionosphere-free combination measurements, calculates the troposphere delay, smoothes multipath errors, and estimate the receiver clock bias [Gao2]. After removing all non-SIS errors from the total pseudorange error obtained by using receivers at surveyed locations, only the SIS errors should be significant. In other words, the IURE is the only error term that will remain.

The other approach to compute IUREs is the bottom-up method, which builds up the IURE errors by summing the satellite position and clock errors. The satellite position and clock errors are calculated by differentiating broadcast and precise ephemerides obtained from the International GNSS Service (IGS) network and the National Geospatial Intelligence (NGA) network, respectively. The IGS and NGA networks do not provide ephemerides information at the same time stamps. Thus, the IGS ephemerides need to be propagated to the same times as those of NGA for fair comparison. The broadcast satellite clock error is also propagated based on the clock rate, the clock acceleration rate and the time difference. After the time is aligned, the difference between the propagated broadcast ephemerides and the truth is calculated. Finally the ephemeris and clock errors are projected onto the line-of-sight of the satellite and a receiver on Earth as shown in Equation (6-2).

69 The top-down and bottom-up methods complement each other. The top-down method includes all SIS errors, but may not exclude all the non-SIS errors. However, the bottom- up method does not include the complete list of SIS errors. The WAAS/NSTBs network used for the top-down method has a data update rate as fast as every second. It can capture the fast appearance of the ephemeris errors. However, the WAAS/NSTB network does not have world-wide coverage. In comparison, the IGS and the NGA networks used for the bottom-up method have receivers all over the world, and thus it can capture outages regardless of the location of satellite at the time of the outages. The data update rates are every 15 minutes for NGA precise ephemerides and every two hours for IGS broadcast ephemerides. This low data rate makes it unlikely to capture satellite outages shorter than 15 minutes.

6.2.2. Performance Test

To compute the worst IURE over all grid points on the Earth’s surface (i.e., all possible user locations), IUREs for all pairs of angle θ andφ are computed and the maximum value of IUREs is determined as shown in Equation (6-3):

IUREworst = max( IURE (θ ,φ )) (6-3)

This worst IURE is compared to URA to examine whether those meet the URE performance criteria proposed in Section 6.1.2. Under nominal conditions, the bottom-up method with the IGS and NGA data can be used to evaluate performance criteria 1.(a) to 1.(e). If any major service failure is observed, the use of the top-down approach with the WAAS/NSTB data is recommended because the data update rate of the network is as fast as every second and the results can be cross-checked with those from the bottom-up approach.

6.3. Preliminary Results

The GPS constellation performance was evaluated using data from the year 2008. IUREs calculated using the bottom-up method described in Section 6.2.1 and the IGS/NGA ephemerides were tested against the proposed performance criteria in Section 6.1.2. The results are shown in Table 6-1. The performance of most SVs is reasonably good given that the criteria developed are targeting future GPS capabilities. However, the third criterion, 1 x URA test, is the most likely to fail except for some relatively new Block IIR satellites and a few Block IIA satellites which carry rubidium clocks.

One should note that the current ephemeris parameters are updated every 24 hours which is much longer than the 15 minutes planned for the future GPS IIIC and OCX. Given the correlation time of the errors under the current operation of the constellation, the criteria should be applied over a longer period of time. The first four criteria were modified by extending the 24-hours test window to 72-hours. The results of URE performance tests with modified criteria are shown in Table 6-2. UREs of almost all satellites satisfy the

70 performance test criteria. Some outliers were observed, but no multiple outliers were occurred simultaneously. Similar tests were performed for the years 2007 and 2009. Analysis results of those tests show that an ARAIM user using broadcast URAs would have been safe at all times. Recall that a major service failure is defined as an event when IUREi exceeds 4.42 × URAi. No such failures were observed from the tests of year 2008 and 2009. For year 2007, four major service failures were observed. The detailed analyses of those events are in [Gao2].

Table 6-1. Results of URE Performance Tests for 2008. PRN /Block Launch date RMS Mean 1xURA 1.96xURA 3.29xURA 4.42xURA Test: # Test: # Test : # Test : # of Test : # of Test : # of of of of failing days failing failing failing failing failing months years days days days

1/IIA-16 22 NOV 1992 17 0 29 12 0 1 /decom.misioned

2/IIR-13 06 NOV 2004 0 1 5 0 0 0

3/IIA-25 28 MAR 1996 5 0 24 0 0 0

4/IIA-23 26 OCT 1993 1 0 1 0 0 0

5/IIA-22 30 AUG 1993 5 2 19 0 0 0 /decommissioned

6/IIA-24 10 MAR 1996 3 0 7 0 0 0

7/IIR-19M 15 MAR 2008 0 0 2 0 0 0

8/IIA-28 28 MAR 1996 1 0 16 0 0 0

9/IIA-21 26 JUN 1993 4 0 22 0 0 0

10/IIA-26 16 JUL 1996 4 1 17 2 1 0

11/IIR-3 07 OCT 1999 0 0 4 0 0 0

12/IIR-16M 17 NOV 2006 0 0 0 0 0 0

13/IIR-2 23 JUL 1997 2 1 2 0 0 0

14/IIR-6 10 NOV 2000 2 2 5 2 0 0

15/IIR-17M 17 OCT 2007 0 0 0 0 0 0

16/IIR-8 29 JAN 2003 0 0 0 0 0 0

17/IIR-14M 26 SEP 2005 0 0 3 0 0 0

18/IIR-7 30 JAN 2001 0 0 0 0 0 0

19/IIR-11 20 MAR 2004 0 0 0 0 0 0

71 20/IIR-4 11 MAY 2000 0 0 0 0 0 0

21/IIR-9 31 MAR 2003 0 0 0 0 0 0

22/IIR-10 21 DEC 2003 0 0 1 0 0 0

23/IIR-12 23 JUN 2004 0 0 0 0 0 0

24/IIA-11 04 JUL 1991 6 0 21 2 0 0

25/IIA-12 23 FEB 1992 17 4 51 4 0 0

26/ IIA-14 07 JUL 1992 0 0 0 0 0 0

27/IIA-15 * 09 SEP 1992 5 0 35 0 0 0

28/IIR-5 16 JUL 2000 0 0 2 0 0 0

29/IIR-18M 20 DEC 2007 4 4 12 2 0 0

30/IIA-27 12 SEP 1996 5 0 22 2 0 0

31/IIR-15M 25 SEP 2006 0 0 4 0 0 0

32/IIA-10 26 NOV 1990 0 0 0 0 0 0

Table 6-2. Results of URE Performance Tests with Modified Criteria for 2008. PRN /Block Launch date RMS Mean 1xURA 1.96xURA 3.29xURA 4.42xURA Test: # Test: # Test : # Test : # of Test : # of Test : # of of of of failing 72 failing failing failing failing failing hour months years 72 hour 72 hour 72 hour periods periods periods 1/IIA-16 22 NOV 1992 4 0 5 1 0 1 /decommissioned 2/IIR-13 06 NOV 2004 0 0 0 0 0 0 3/IIA-25 28 MAR 1996 0 0 0 0 0 0 4/IIA-23 26 OCT 1993 0 0 0 0 0 0 5/IIA-22 30 AUG 1993 1 0 3 0 0 0 /decommissioned 6/IIA-24 10 MAR 1996 0 0 0 0 0 0 7/IIR-19M 15 MAR 2008 0 0 0 0 0 0 8/IIA-28 28 MAR 1996 0 0 0 0 0 0 9/IIA-21 26 JUN 1993 0 0 0 0 0 0 10/IIA-26 16 JUL 1996 0 1 0 0 1 0

72 11/IIR-3 07 OCT 1999 0 0 0 0 0 0 12/IIR-16M 17 NOV 2006 0 0 0 0 0 0 13/IIR-2 23 JUL 1997 0 0 0 0 0 0 14/IIR-6 10 NOV 2000 2 0 2 2 0 0 15/IIR-17M 17 OCT 2007 0 0 0 0 0 0 16/IIR-8 29 JAN 2003 0 0 0 0 0 0 17/IIR-14M 26 SEP 2005 0 0 0 0 0 0 18/IIR-7 30 JAN 2001 0 0 0 0 0 0 19/IIR-11 20 MAR 2004 0 0 0 0 0 0 20/IIR-4 11 MAY 2000 0 0 0 0 0 0 21/IIR-9 31 MAR 2003 0 0 0 0 0 0 22/IIR-10 21 DEC 2003 0 0 0 0 0 0 23/IIR-12 23 JUN 2004 0 0 0 0 0 0 24/IIA-11 04 JUL 1991 0 0 0 0 0 0 25/IIA-12 23 FEB 1992 0 0 5 0 0 0 26/ IIA-14 07 JUL 1992 0 0 0 0 0 0 27/IIA-15 * 09 SEP 1992 2 0 1 0 0 0 28/IIR-5 16 JUL 2000 0 0 0 0 0 0 29/IIR-18M 20 DEC 2007 0 0 0 0 0 0 30/IIA-27 12 SEP 1996 0 0 0 0 0 0 31/IIR-15M 25 SEP 2006 0 0 0 0 0 0 32/IIA-10 26 NOV 1990 0 0 0 0 0 0

73 7. Preliminary ARAIM/ISM Prototype Plan

This section of the report is forward looking. It proposes a possible ARAIM prototyping plan. This section is based on WAAS prototyping efforts and is intended as an example of scope and methodology.

7.1. Overview

The GEAS has identified ARAIM together with ground support as the primary algorithmic components of an architecture that should be able to support worldwide LPV- 200 approach capabilities. The interface between the ground support and the airborne algorithm would be the ISM.

The goal of the prototyping plan is to define the capabilities needed to analyze ARAIM supported by the ISM against the performance required for worldwide LPV200 approaches. Our proposal extends existing prototyping capabilities. As such, it recommends a natural algorithmic evolution for defining and evaluating ARAIM/ISM performance and algorithm requirements.

The remainder of this section is organized as follows:

• Section 7.2 – End State Objectives • Section 7.3 – Evolution of Existing Prototyping Capabilities • Section 7.4 – Development Plan • Section 7.5 – Conclusions

7.2. End State Objectives

The desired end state for the GNSS navigation architecture envisioned in this report is shown in the block diagram below. As shown, the user algorithms utilize ARAIM to detect all hazardous events that may arise in between the receipt of ISM. In addition, the user equipment may also employ relative RAIM as described in Section 8 for single constellation applications.

74

Figure 7-1 End State Block Diagram

The envisioned prototype will utilize existing one-second satellite measurement data as input to the aviation user with ARAIM algorithms. An evaluation capability which assesses performance, integrity and continuity will need to be developed.

Much of the capability diagrammed in Figure 7-1 already exists in some form. The next subsection details an evolution of this existing capability.

7.3. Evolution of Existing Prototyping Capabilities

7.3.1. Current Capabilities

Over the previous decade during the WAAS and LAAS developments, GNSS prototyping capabilities have been developed at different locations by the FAA and their subcontractors. For WAAS, the relevant prototyping sites include Stanford University, MITRE, Zeta Associates, Jet Propulsion Laboratory (JPL), the FAA Technical Center (FAATC) and Sequoia Research Corporation (SRC). Furthermore, SRC and FAA/Safety Operations Support (SOS) in Oklahoma City have reproduced much of the capability that exists at the WAAS prime contractor. Similarly for LAAS and other GBAS efforts, capabilities for assessing the performance exist at Illinois Institute of Technology, Ohio University, Stanford, MITRE, the FAATC and SRC. In addition to the software prototypes of both SBAS and GBAS systems, several locations have installed antennas and receivers for data collection such as Stanford University, Zeta, Ohio University, the FAATC and SOS in Oklahoma City. Finally, the use of actual system data from WAAS is available at SRC, SOS in Oklahoma City and the FAATC.

As described above, several locations attached to the FAA GNSS navigation effort are equipped to create high fidelity results capable of confidently answering specific design decisions. However, these capabilities have not been integrated in a unified way to support future GNSS efforts. Over the last year or so, SRC has developed and documented the WAAS processing capability as part of the HMI analysis tools transition for the WAAS Follow-On (WFO) contract. This capability should serve as the starting

75 point for the envisioned prototype effort. The current data and tool flow diagram is shown below (Figure 7-2).

Figure 7-2 Current WAAS prototype processing

Figure 7-2 depicts the current capability which exists at two locations only, namely SOS and SRC. Black dotted lines have been drawn on Figure 7-2 to highlight where the basic capabilities reside and how the processing threads are linked. (Processing chain 1 is SOS and processing chain 2 is SRC.) Note that there is some overlap in capabilities but data size issues force the large data sets to be produced by SOS so the dotted black lines represent good estimates of the division of labor between the two sites. Processing chain 3 is of much less importance due to the fact that that processing chain is basically only used for WAAS orbit estimation cold start issues as well as some historical data processing. For this plan, we will focus on processing chains 1 and 2. The tool capabilities in processing chain 3 are well documented and not of immediate importance, however mature processing of the chain 3 tools is part of this plan.

PROCESSING CHAIN 1 SOS is connected to the operational WAAS and collects and monitors all of the data that flows into fielded WAAS software. WAAS has two rings of data which collect all of the WAAS station data and deliver this rate group data to an Operations External Interface (OEI) collector and formatter. From the collector/formatter scripts, recording files (*.cf) are created. The fielded WAAS software is also run and “snoop” files generated by the Correction and Verification (C&V) estimator for use by the safety processor are also created and stored daily in

76 one hour blocks. The recording files and the snoop files are the main data types created and stored on a daily basis at OK City.

Another set of important processing includes the blocks Reformatter and Receiver Independent Exchange Format (RINEX) Creator. As shown in Figure 7-2, these functions create RINEX files. They were developed for analysis purposes and are run daily at SOS. These data are currently used for station location analysis and are decimated to fifteen-minute samples. The scripts are versatile enough to create one- second data if desired. The RNG files contain a semi-exhaustive set of measurement data which is described in detail in other supporting documentation. The ENG files are simply data about the receiver which created the data at the time of collection (temperature, power, fan information, etc.).

PROCESSING CHAIN 2 The second chain of processing is the downstream piece which happens at SRC. Snoop data is downloaded into the SRC cluster via a Virtual Private Network (VPN) from the WAAS in 1-hour blocks. The integrity monitor prototype (recently renamed the W3SP) is then run and two fundamentally different types of data are created. Along with truth data (both from the Supertruth process and external data from various web and ftp sites), the HMI data and comparator logs provide a full assessment of the accuracy, integrity and overall performance of the system. The data files in processing chain 2 are described below.

COMPARATOR LOGS Comparator logs are unformatted files from which other, much smaller, files are culled. Most files have scripts associated with them and are run via korn shell or invoke a grep command to extract the pertinent data. These are not usually used for integrity analysis, but more for system performance. This interaction is crucial however, as changes to integrity algorithms tend to affect system performance quantities (GIVES, UDRES, etc.). Comparator logs are then run though short formatting scripts to create the input for SVM which assess the protection levels generated by WAAS on the day under analysis.

HMI DATA The HMI data sets are created via a set of flags in the integrity prototype. Combined with a set of MatLab tools, the chain which creates the vast majority of figures and tables in the HMI analysis document is shown below. SNOOP DATA Æ W3SP Æ HMI DATA ÆHMI MatLab tools Æ HMI document

SUPERTRUTH The Supertruth data is a four part process which is only described here briefly. The first part is the GIPSY software which runs off RINEX data and is the basic orbit and clock Kalman filter. Once this is run, the GIPSY Iono Model (GIM) is run to create ionospheric delays for each station. Since WAAS has three receivers at each location, the Supertruth scripts invoke a voting algorithm to select the best estimate of the ionospheric delay at the station. Up to this point, twelve columns of truth data have been generated, namely epoch,

77 station, SV, delay, Kalman filter sigma, azimuth and elevation of the track, station and satellite bias, and station latitude, longitude and height.

EXTERNAL DATA There are some external data sets used for creating orbits, namely the JPL TDPC files and the Yuma ephemeris files. These files are well described elsewhere and it suffices to say that they are simply used to create truth estimates for the orbits.

7.3.2. Necessary Future Capabilities Our proposed evolution is based on mapping the end state blocks in Figure 7-1 to currently existing or projected blocks in Figure 7-2. The pictorial scheme for such a mapping is shown below in Figure 7-3. The red numbers in Figure 7-3 correspond to the four major blocks in Figure 7-1. A short description of each of these four blocks is given.

• Block 1 – The BDUMP scenarios are one of many different data sets which contain basic measurement (rate group) data. The format is well documented and well understood, and the headers (while still binary) have not been stripped out making processing easier than other standard binary formats. This will be the starting point for the measurement data.

• Block 2 – The ARAIM user prototype is akin to the several users’ software programs, including SVM for WAAS, SWAT at MITRE, MatLab Algorithm Availability Simulation Tool (MAAST) from Stanford University and the WAAS User’s Position Solution (WUPS) again for WAAS. While the RAIM algorithms are distinct from the current user’s algorithms, a lot of similar functionality is shared. For that reason, the SVM box and the ARAIM box have been placed side by side to indicate that the ARAIM coding will leverage the SVM code.

• Block 3 – In the same way that the current system is evaluated (via metrics like the Stanford triangle plot), the ARAIM algorithms will need to be evaluated. Several new tools will need to be developed; however some of the current WAAS and LAAS methodologies will most likely carry over into this effort.

• Block 4 – Currently, the quantities in the WAAS messages are generated in the WAAS C&V prototype. While this may not be the final generating place for the operational ISM, this block would be an excellent starting point for our evaluations.

78

Figure 7-3 – Current Capabilities and End state blocks

7.4. Development Plan

With the above described capabilities, the following questions can be answered.

1) What is the fully defined ARAIM algorithm? 2) What are the contents and the update rate of the ISM? 3) Now that the ARAIM algorithm and the ISM are developed, do they mitigate all of the agreed upon threats? 4) How do multiple constellations improve ARAIM performance? 5) Can a limited (and most likely global) ground network take the place of the currently fielded WAAS?

This section describes a logical flow of work by addressing the above questions in order. However, our prototyping capabilities would be developed with continuous rework and modification. For example, ARAIM performance will depend strongly on the measurement noise characteristics. The L2P(Y) unsmoothed pseudoranges, available today, are extremely noisy compared to the pseudorange measurements that will be available at the new L5 frequency. Thus the noise models used in the prototype will mature as L1/L5 flight data becomes available.

79 7.4.1. Developing the full ARAIM algorithm for a single constellation

Overview of Coding Plan In the fullness of time, ARAIM will be used to integrate signals from multiple GNSS constellations and modified ground networks. Even so, our first step is to understand, code and document the ARAIM algorithm in a mature form using one second data from the GPS constellation and the WAAS ground system.

The final block in the total processing chain shown in Figure 7-3 is the user’s performance which is assessed in both the availability and the integrity realms. Currently, this is done officially on WAAS by the Service Volume Model and elsewhere using other programs as shown in Figure 7-2. The user software computes (or loads) the GIVEs, UDREs and MT28 messages and applies the MOPS protection level algorithms to assess performance (integrity, accuracy, etc).

The first task is to emulate the basic user functionality and any other necessary user functionality on a more “friendly” platform such as an AIX or a PC. For this, we have SVM at Raytheon, the FAATC software, SWAT developed at MITRE and MAAST developed at Stanford University. An initial assessment of these software packages would be done and a decision then made to either port one (or more) of the above into the framework of Figure 7-2. Alternatively, we could develop new software borrowing from the functionality in the above programs. This new user prototype will initially only leverage the GPS constellation and will NOT initially use an ISM. It will run on one- second data and will create one second output.

This ARAIM prototype would generate standard post-processed files with standard quantities, such as the protection levels, position errors all associated with time stamps and user locations so that TTA analysis could be done on such files. The basic functionality that would be developed for this initial assessment would be strongly linked to the theory developed in section 3. Specifically, the code will generate values for user position solution and protection levels. These outcomes will be based on measurement residuals, Δr, and the observation matrix G, which are available in all user software. From there, the equations in section 3.3.1 can be coded simply. Moreover, the behavior of the error components Dn and the associated protection components VPLn can be evaluated for the one second data rate for detailed analysis.

Validation of Requirements The performance requirements in section 2.1 are broken down into four specific areas, namely the PHMI, the False Alert Probability, the EMT and the 95th percentile accuracy (which are described respectively in sections 2.1.1, 2.1.2, 2.1.3, and 2.1.4). This ARAIM prototype would be able to evaluate these requirements using real data. As has been done in several other programming efforts in the integrity realm, the prototype should generate daily data files for long term trending.

Once the software for validation of the requirements is coded and the ARAIM algorithm (along with the parameters) is well understood, the ISM can be better crafted to support any problematic threats.

80 7.4.2. Developing the full ISM

Currently, WAAS delivers twenty-eight message types to a user. The contents, formats and update rates of these messages are well understood and well documented. An ISM will be necessary to support the ARAIM user. The prototype will be used in the development of the contents, format and update rate associated with ISM.

The task of coding an ARAIM message should initially be in the WAAS prototype in the same way that the other 28 messages are provided. While this may not be the final mechanism for such broadcasting an operational ISM, this simulation will generate understanding and test cases for the formats and update rates. Also, it will also foster the development of validation tools for the ISM. This task is relatively simple. The designers of the ISM would identify outputs desired/required for an ISM and these would be output to the comparator log shown in Figure 7-3. An ISM formatter/creator tool would be developed and finally a validation methodology would be developed much in the same vein as done for standard HMI analysis. The methodology would be coded. Figures and table verifying the function of the ISM would be created. The standard flow chart is shown below with the portion modified to support ISM studies shown in red. Note that this picture is a slightly expanded version of the ISM portion in Figure 7-3 but omits the ARAIM user prototype.

Figure 7-4 ISM prototyping branch

81 As described in Section 5, multiple ISM formats are being considered. We consider the format that expends multiple bits per satellite. As described in Section 5.2, this ISM format uses the following parameters: • The overbound of the satellite error variance • The overbound of the satellite error bias • The nominal satellite error variance • The nominal satellite error bias • The probability of satellite fault • A flag indicating whether the satellite conforms to the above five parameters.

The ARAIM prototype would be used to generate an user error overbound based on the six parameters above. The probability of satellite fault could be computed either by straight statistical arguments of each distribution or by using a Gaussian convolution argument using all of the means and sigma overbounds applied for a particular satellite against all other satellites. In this way, a more stringent probability requirement can be assessed.

The coding of the ARAIM User’s Prototype and the ISM would be tested and initially developed for a single constellation and nominal (non-faulted) conditions. The applications of faults and the associated analysis are described in the next subsection.

7.4.3. Mitigations of threats

The last two subsections describe the primary coding of the ARAIM user prototype and the ISM. Up to this point these will have been tested and evaluated only for the GPS constellation during nominal conditions. The evaluation of faulted performance is the next logical step. This effort is broken into two parts, namely the classification of threats (and faults) and the injection of the faults into the data.

Classification of Threats The threats discussed in section 2.2 in this report are shown on a standard GNSS navigation diagram depicting the different navigation segments. The threats/faults can be grouped into the following classes: • On board satellite equipment • Space weather • Earth weather • Ground Issues • User’s hardware equipment • User’s algorithmic software • General Error Distribution Statistical Issues

There are nine Space and Ground Segments GNSS Signal Fault Causes and thirteen User Equipment GNSS Signal Fault Causes. Some of these can (and have) been further

82 subdivided; however we list them here only in their higher level capacity. The groups are shown relative to their functional area or physical location on Figure 7-5.

Figure 7-5 Organization of threats

Injection of Faults In general, a fault injection study requires an in depth understanding of how the fault affects the GPS measurement quantities (code, carrier, etc.) and where the fault presents itself. At times, the fault effects can be applied in the downstream computed quantities. However, we prefer to apply the errors directly to the measurements themselves. Each fault will need to have an agreed upon model which may come with a well defined parameter space. Many of the listed faults have been well modeled, but substantive work remains to finalize all the needed fault models. Once the threat model for a particular fault is agreed upon, it then remains to apply the fault directly to the area that it affects. Since many of the faults directly affect the measurement data, the example below describes the application of that kind of fault.

The BDUMP scenarios shown below in Figure 7-4 contain rate group data from the WAAS stations and it is here that most faults should be injected so as to best follow the effects of the fault through the system. By this point, the processing chain will need to be well understood. Two parallel paths for the faulted and nominal data are thus shown and the culmination of the two processing chains result in both integrity and system outputs for both the faulted and non-faulted cases (as shown in the upper right hand corner of

83 Figure 7-6). It should be noted that the multipath characteristics may be different, as it represents the user’s airborne multipath, not the ground multipath. We anticipate an ongoing refinement of the multipath models used in this prototyping effort. Further, it may well be worth augmenting this effort with a concerted data flight gathering activity where the data collection supports the study of dual frequency operation.

The primary activity for this task is to understand the details of the BDUMP scenarios and create a “threader” which unwraps the BDUMP scenarios, applies a fault to a selected type of measurement or data, and then repacks the scenario.

Figure 7-6 Fault injection processing

Once this has been completed, a formal investigation of the Effective Monitor Threshold (EMT) should be evaluated to determine compliance with this requirement. It is clear that for each fault mode (and potentially sub-fault mode), an EMT requirement needs to be assessed. By this point, the “open questions” mentioned in section 2.1.3 will need to be answered and closed.

7.4.4. Studying the ground network and multiple constellations

As described above, our first phase of prototyping will be based on ARAIM and ISM under nominal and faulted conditions with the current WAAS ground network and the GPS constellation. A subsequent phase will consider other forms of the ground network and introduce additional GNSS constellations.

The coding supporting both the study of multiple constellations and modified ground networks is roughly the same. Modified data will have to be “threaded” into existing rate

84 group scenarios. For the addition of stations, this has twice been successfully performed (in WAAS Release 6/7 and Release 6/7 delta) where real station data was threaded into current scenarios and run through the integrity prototype, including the orbital Kalman filter, for HMI assessment. A schematic is shown in Figure 7-7 below.

Figure 7-7 Processing for modified ground network and satellite data

Study of Multiple Constellations Three key issues are associated with the underlying GNSS constellation: (1) the integrity issues associated with a degraded GPS constellation; (2) the technical details of dealing with a mixed GPS constellation (satellites with and without L5); and finally, (3) the addition of new GNSS constellations (i.e., GLONASS, Galileo, Beidou/COMPASS, etc.).

Degraded constellations are fundamentally easy to implement for prototyping purposes; we remove the measurements from a particular satellite or set of satellites. A mixed GPS constellation is relatively easy as well. The assumption is that the errors in the users weighting matrix would be mixed as well, and the user would invoke two different error models (one for single frequency and one for the dual frequency). While the nature of the errors would not be exact, the overall performance assessment would be accurate.

Introducing code for multiple constellations would be more difficult, because we would need to supply the prototypes with the same information as the GPS constellation or its equivalent. Moreover, the threat models and a-priori failure rates might be quite different. Thus, this step is a significant one.

Studying a Modified Ground Network The processing for studying ground station issues is relatively simple and as mentioned above such studies have been done several times in the past. New station data is added to the rate group data found in the BDUMP scenarios. This has been accomplished twice in earnest during the WAAS development.

85 First, it was required when nine stations were added to the original twenty-five for a total of thirty four for the release 6/7 build. Second, it was needed when the remaining four stations were added for a total of thirty eight for the release 6/7 delta build. The ARAIM ground stations may be appreciably simpler than today’s WAAS reference stations. For example, they may not be triple threaded. As such, we may need to simulate ARAIM ground stations based on the study of experimental deployments. Alternatively, we may wish to actually add ARAIM ground stations to the WAAS network.

7.5. Conclusions

The ARAIM/ISM prototype effort would be a significant step to development of the algorithms and support functionality in the evolution to worldwide LPV-200. It would have a firm foundation based on the current WAAS prototype capabilities. This prototype can smoothly evolve to include the first versions of the ARAIM algorithms and the suggested message content of the ISM. This prototyping activity should begin in the near term in order to support development of operational capabilities in the 2018 timeframe.

86 8. Single Constellation ARAIM Considerations for the U.S. Military

The F/A 18 program has expressed an interest in enabling vertical guidance using ARAIM as described by the GEAS. This project would benefit both the FAA and the Navy. For the Navy, it would provide worldwide availability of vertical guidance down to LPV 200 or LPV 250. The Navy hopes that this capability would be based on the GPS constellation alone. This limitation is in sharp contrast to the multi-constellation ARAIM technique developed in the earlier sections of this report. Even so, the FAA stands to benefit from the Navy interest. For the FAA, single constellation ARAIM would provide a proof of concept for vertical guidance using ARAIM and very valuable experience. In Section 8.1, we first examine the differences between the Navy concept and the use of ARAIM as analyzed herein for the civil mission. Since ARAIM with one constellation has lower availability, we explore advanced techniques to improve the continuity of the service. One of these techniques is RRAIM-Extended ARAIM (ERAIM), which is a combination of the ARAIM concept and the Relative RAIM concept. Subsection 8.2 provides a description of ERAIM. Finally, subsection 8.3 presents availability results using both ARAIM and ERAIM showing that the Navy could be well served by an L1-L2 ARAIM or ERAIM system based on one constellation.

8.1. Differences Between Civil and Military Applications of ARAIM

There are several differences in the military application that might make it easier to adopt ARAIM based on GPS alone for vertical guidance. They are discussed in the following paragraphs.

8.1.1. Dual Frequency

For the military, a full constellation of dual frequency signals is already available from GPS today; the P(Y) code modulates GPS signals at L1 and L2 (1227.60 MHz). These L2 signals are not suitable for civil use, because they are not within an ARNS/RNSS portion of the radio spectrum. However, they are suitable for military use. The noise characteristics on the L1-L2 pseudorange measurements are comparable to the noise characteristics assumed by the GEAS for L1-L5. Similarly, the ability to remove the ionospheric delay is almost as good with L2 as it will be with L5. Not only is this capability available now, it also has a long track record. Section 6 of this report shows that an L1-L2 ARAIM receiver would have been safe from 2007 to 2008.

8.1.2. Availability Requirements

The Navy has a less stringent availability requirement for vertical navigation than the FAA. First, RAIM would not be replacing an already existing service but providing a new capability. Also, the Navy has less concern about attaining high availability at all location worldwide and is willing to consider navigation systems with high average availability. Additionally, the Navy would be well served with LPV 250, which requires a 50 m of VAL instead of the 35 m required for LPV 200, which is the GEAS target for

87 civil aviation. Finally, the Navy would be satisfied with good availability results assuming a constellation similar to the current one, as opposed to the FAA, which requires good availability using the smallest guaranteed constellation. As will be shown in Section 8.3, these relaxations in the availability requirements could make ARAIM achievable using the current constellation and the current signals.

8.1.3. Smaller Set of Users and Receiver Types

As opposed to the civil application, a military ARAIM would also have a reduced set of users. An ARAIM malfunction (due to a violation of the constellation assumptions, for example) would affect a small user population, as opposed to many in the civil case. It is also likely that military users could be notified were there to be a malfunction causing the constellation to violate ARAIM requirements.

Also, one of the concerns in the civil application is the wide variability of the receiver response to nominal and faulted signal deformations. Theses concerns are not nearly as important in the military application. First, the chipping rate is larger, which probably reduces the magnitude of signal deformation induced biases compared to the CA code. Second, even if the biases were large, they could potentially be calibrated. This would be possible because there would be relatively few receiver types.

8.1.4. Integration with Other Sensors – Use of Relative RAIM

ARAIM for the F/A 18 program would be integrated with other sensors, in particular the baro-altimeter. Although it is not clear what the current accuracy is on the other sensors, their use should ease the certification of ARAIM. Also, as will be discussed in detail below, a military receiver could include ERAIM, which is a combination of Relative RAIM and ARAIM. ERAIM would improve the continuity of the service.

8.2. RRAIM-Extended ARAIM (ERAIM)

In the RRAIM “architecture” described in the Phase I GEAS Report fault detection was performed using a combination of GNSS Integrity Channel (GIC) ground based monitoring and a carrier phase RRAIM function. [Gratton2] The architecture represented a practical intermediate solution between two other GEAS architectures under consideration at the time—GIC and ARAIM. It relied heavily on the monitoring capability of a global WAAS-like GIC to establish the integrity of an initial (stored) code-based position fix. The subsequent use of ‘coasting’ with time-differential carrier phase provided the means for punctual position estimation and also for fault detection using a carrier phase RAIM function. This RRAIM-aided architecture eliminated global Time-To-Alert (TTA) concerns associated with a GIC-only architecture. Preliminary analysis showed that the RRAIM approach could potentially enable LPV-200 operations with worldwide coverage using a 27 space vehicle (SV) constellation. The detailed algorithms for position and range domain implementations of the concept were described in the GEAS Phase I report and in [Walter2].

88 In this Phase II Report, we re-interpret RRAIM (with carrier coasting) as a function rather than an architecture. From this viewpoint, the original “RRAIM architecture” discussed in Phase I is simply an RRAIM function augmenting the more fundamental GIC architecture to relax the GIC TTA requirement for global users. In this context, we can also consider adding the RRAIM function to the fundamental ARAIM architecture. However, the purpose here is not to relax TTA, which is essentially instantaneous for ARAIM, but potentially to coast through ARAIM unavailability intervals. The concept, called RRAIM Extended ARAIM (ERAIM), is illustrated in Figure 8-1 and is particularly attractive for improving ARAIM availability based on only one constellation. At a current time tk, if the Vertical Protection Level for ARAIM, VPLARAIM(tk), exceeds the Vertical Alert Limit (VAL), then the aircraft can go back in time through stored measurements and satellite geometries by an interval tcoast such that tj = tk – tcoast and VPLARAIM(tj) < VAL. The punctual position fix at tk is then generated using time differential carrier across tcoast, and fault detection over the interval is performed using carrier phase RRAIM. The detection thresholds achievable using carrier phase RRAIM are potentially much tighter than those for code-based ARAIM. Hence, the resulting ERAIM protection level during the coasting interval will be smaller than the punctual ARAIM protection level: VPLERAIM(tk) < VPLARAIM(tk).

If successful, the concept would improve the global coverage of ARAIM sufficiently for operation with one constellation containing 27 satellites. In this section and the next, we will develop candidate algorithms for positioning, fault detection, and protection level generation, and will quantify coverage and availability to compare with the existing ARAIM-only results given earlier.

VPLARAIM(tk)

VAL

VPLARAIM(tj)

VPLARAIM

tcoast

VPLRRAIM(tk)

tj tk time

Figure 8-1: RRAIM-Extended ARAIM Concept

8.2.1. ERAIM Positioning Algorithm

In order to describe the measurement and position relationships in time, two subscripts j and k are introduced to indicate the current time epoch k and a previous time epoch j.

89 The ERAIM navigation solution for current position is based on a previous ARAIM- approved position estimate x0, j projected forward to the current time using a relative carrier-phase position estimate:

x0,k = x0, j + Δx0,k− j (8-1)

The subscript ‘0’ here signifies position estimate using all satellites in view (i.e., ‘zero’ satellites excluded.) The relative position estimate Δx0,k− j from epoch j to current epoch k is computed using relative carrier-phase measurements from all satellites continuously tracked between epochs j and k:

~ Δx0,k− j = S0,k− j rk− j , (8-2) where the projection matrix for the relative positioning is

T ~ −1 T ~ S0,k− j = (Gk Wk− jGk ) Gk Wk− j , (8-3)

~ and the compensated time-differenced carrier-phase measurement rk− j is formed by the K raw carrier-phase measurements rk at current epoch, and those at the base position K epoch, rj , plus geometry change compensation:

~ K K rk− j = rk − rj − ΔGk− j x0, j

where ΔGk− j is the geometry change matrix (ΔGk− j ≡ Gk − G j ) .

The weighting matrix used in the projection matrix S in equation (8-3) is

~ 2 2 T −1 Wk − j = [diag (Δσ r,1,",Δσ r,n ) + ΔGk − j cov(δx0, j )ΔGk − j ] (8-5)

2 th where Δσ r,n is the variance of n relative carrier-phase measurement coasting error, and the second term on the right-hand side combines the error projected from the base position error δx0, j through the geometry change matrix. (Note: There are a total of n usable SVs at the epoch j. If any SV is lost between epochs j and k, the corresponding column and row of the weighting matrix is set to zero).

2 th The carrier-phase measurement coasting error Δσ r,n of the n satellite over a coasting period T (from epoch j to epoch k) is due to three error sources: satellite clock and ephemeris coasting error Δσ clock +ephem,n , tropospheric coasting error Δσ trop,n , and

90 double-difference carrier-phase measurement noise plus multipath error Δσ v+mp,n . Each individual coasting error is treated as independent from the others. Therefore, the variance of the total coasting error is the sum of the variances of each individual error sources:

2 2 2 2 Δσ r,n = Δσ clock +ephem,n + Δσ trop,n + Δσ v+mp,n (8-6)

8.2.2. Time-differenced Carrier-phase Measurement Error Model

Satellite clock and ephemeris drifting error model

The satellite clock and ephemeris drift error over time interval T can be modeled as zero- mean and normally distributed with a standard deviation of

Δσ clock+ephem,n = 0.085 cm/sec ×T (8-7)

This is an empirical model that is consistent with GPS measurement data collected and processed by van Graas [van Graas]. It is the same model that was used in the GEAS Phase I Report.

Tropospheric error model

The effect of tropospheric spatial decorrelation experienced by a moving aircraft is also modeled as a zero mean normal distribution with standard deviation

cm cm 90° − el o Δσ = (1.22 + 0.41 × n )× 0.092 km/s ×T (8-8) trop,n km km 85°

o th where eln is the corresponding n satellite’s elevation angle in degrees.

The equation (8-9) is based on the analysis of tropospheric spatial decorrelation measurement data by van Graas [van Graas], and Huang [Huang]. This model captures tropospheric gradients seen during severe storms. However, time differential tropospheric errors are bounded, so upper limits are applied to Δσ trop,n as a function of elevation angle as defined in Table 8-1.

Table 8-1 Upper Limits on Δσ trop as a Function of Elevation el o (degree) 5-10 10-20 20-30 30-40 40-90

Δσ trop (cm) 40 20 14 10 8

91

Carrier-phase measurement noise and multipath error model

Carrier-phase receiver measurement noise is well modeled as white process, so its contribution to Δσ v+mp,n is not a function of coasting period T. However, multipath is correlated in time, so time-differencing results in a contribution to Δσ v+mp,n that will vary with T but will become constant as T exceeds the multipath time constant (which is typically less than 20 s for a moving aircraft). In this report, a conservative constant value of Δσ v+mp,n for all values of coasting period and any elevation angle is adopted:

Δσ v+mp,n = 6 cm (8-9)

8.2.3. ERAIM Fault Detection Algorithm

The position estimate error for a full-set solution at current epoch k can be derived using a solution separation fault detection like that used for ARAIM:

δx0,k = xn,k − x0,k + δxn,k (8-10)

th where xn, j is the n subset position estimate (i.e., estimate with satellite n removed) and th δx0, j and δxn, j are the estimate errors for the full-set and n subset estimates, respectively. Substituting the ERAIM full-set and nth subset positioning estimates into (8-10), we obtain

δx0,k = (xn, j + Δxn,k − j ) − (x0, j + Δx0,k − j ) + (δxn, j +δΔxn,k − j ) (8-11) where the nth subset ERAIM position estimate is computed as:

xn, j = Sn, j rn, j (8-13) ~ Δxn,k − j = Sn,k− j rk− j (8-14) T ~ −1 T ~ Sn,k− j = (Gk M nWk− jGk ) Gk M nWk− j (8-15)

th The test statistic for n satellite fault detection at vertical position (dn) is then

dn = (xn, j + Δxn,k − j )(3) − (x0, j + Δx0,k− j )(3) (8-16) where the subscript within the parenthesis indicates the third component of position vector, which corresponds to the vertical position state in an East, North, UP (ENU) state vector coordinate realization.

92 th The corresponding detection threshold for the n test statistic (Dn) is

N D = K ×σ + B − B × Nominal Bias (8-17) n ffd ,n,k dV ,n,k ∑ 0, j n, j 3rd row n=1 where

B0, j ≡ [I − S0,k− j ΔGk− j ]S0, j , Bn, j ≡ [I − Sn,k− j ΔGk− j ]Sn, j , (8-18) and “Nominal Bias” is an upper bound on non-Gaussian errors at time j under normal error conditions. The fault-free standard deviation of the Gaussian contribution to the test statistic is represented by:

σ dV ,n,k ≡ dPn,k (3,3) (8-19) where

−1 T ~ T dPn,k = [Bn, j − B0, j ]W j,URE [Bn, j − B0, j ] +[Sn,k − j − S0,k − j ]Wk − j [Sn,k − j − S0,k − j ] (8-20) and the notation dPn,k(3,3) denotes the (3,3) element of dPn,k.

The fault-free detection multipliers Kffd,n,k are selected (for n = 1, 2, ..., N) to ensure that the sum of the fault-free alarm probabilities for all N tests is lower than the continuity risk requirement. In the simplest implementation, this risk is allocated equally across all N tests. This uniform allocation is used to generate the results in the next section.

VPL equation for ERAIM

Like the ARAIM case, the ERAIM protection levels are derived for the fault-free full-set (VPL0) and, under the fault hypotheses, for all the subsets (VPLn). For the fault-free hypothesis

N VPL = K ×σ + B × Maximum Bias (8-21) 0 md ,0,k V ,0,k ∑ 0, j 3rd row n=1 where “Maximum Bias” is an upper bound on non-Gaussian errors at time j under worst- case error conditions, Kmd,0,k is selected to meet the fault-free integrity allocation, and

σV ,0,k ≡ P0,k (3,3) (8-22)

T −1 T ~ −1 P0,k = (I − S0,k − j ΔGk − j )(G jW jG j ) (I − S0,k − j ΔGk − j ) + (GkWk − jGk ) (8-23)

The error contribution due to geometry change (over the projection interval T) is captured in the first term in equation (8-23).

93

Under the fault hypotheses, VPLn is derived as:

N VPL = D + K ×σ + B × Maximum Bias n n md ,n,k V ,n,k ∑ n, j 3rd row n=1

th where Kmd,n,k is selected to meet the integrity allocation for a fault on the n satellite, and

σV ,n,k ≡ Pn,k (3,3) (8-24)

T −1 T ~ −1 Pn,k = (I − Sn,k − j ΔGk − j )(G j M nW jG j ) (I − Sn,k − j ΔGk − j ) + (Gk M nWk − jGk ) (8-25)

In the performance results that follow, the same methods used to optimize ARAIM VPL formulas described in Section 3 are applied to optimize ERAIM VPL formulas as well. Integrity risk is allocated among the hypotheses such that all VPLs are made nearly equal.

8.3. Availability results using ARAIM and ERAIM

A preliminary analysis of ARAIM/ERAIM availability for both LPV-200/250, with three different GPS L1/L2 constellations, was conducted. The same assumptions made in section 4 for ARAIM global coverage availability simulations were applied to the ERAIM availability simulations, which include GPS error models, navigation system requirements (LPV-200), global grid points (latitude: 70 deg to -70 deg, longitude 180 deg to -180 deg, 5 deg grid spacing), availability requirement (99.5%) and geographic weighting algorithm. The only difference is the multiplying factor applied to the multipath due to the iono-free combination, which depends on the two frequencies (L1 and L2) [Lee2].

Two error model parameters for standalone positioning (applicable for ARAIM, and for epoch j in ERAIM) were used. They are shown in Table 8-2 and correspond to Case #2 and #3 presented in section 4. The carrier-phase coasting error models needed for ERAIM are the ones presented in section 8.2.

The criteria to determine ARAIM availability is applied to ERAIM availability evaluation. The GNSS navigation system is available when (considering only the more stringent vertical requirement):

VPL ≤ VAL where VPL = max { VPL0, max(VPLn) } (8-26)

The coverage results are shown in Tables 8-3, 8-4 and 8-5 for a constellation representative of the current GPS constellation, the optimized 24 and 30 SV constellations used in the GEAS Phase I Report.

94 Table 8-2 Error Models

Maximum Nominal One σ (meters) URA URE Bias Bias Case #2 1 0.5 0.5 0.1

Case #3 2.4 1 0.5 0.1 *Note: Nominal GEAS tropospheric and smoothed code multipath error models are also used.

Table 8-3 Availability Results for the Current L1/L2 GPS Constellation (32 satellites)

Case #3 Case #2 Navigation Algorithm average 99.5 average 99.5 Requirements ARAIM 92.7 0.8 99.6 72.1 LPV-200 ERAIM 96.7 16.9 99.8 83.5 ARAIM 98.7 37.9 99.9 93.2 LPV-250 ERAIM 99.5 69.5 99.9 96.0

Table 8-4 Availability Results for an Optimal 24 Satellite L1/L2 GPS Constellation

Case #3 Case #2 Navigation Algorithm average 99.5 average 99.5 Requirements ARAIM 77.5 0 97.6 20.3 LPV-200 ERAIM 86.4 0 98.5 36.4 ARAIM 93.1 0.1 99.4 65.6 LPV-250 ERAIM 96.7 7.7 99.7 79.3

Table 8-5 Availability Results for an Optimal 30 Satellite L1/L2 GPS Constellation

Case #3 Case #2 Navigation Algorithm average 99.5 average 99.5 Requirements

95 ARAIM 97.2 8.9 99.98 99.2 LPV-200 ERAIM 99.1 57.6 99.99 100 ARAIM 99.9 90.4 100 100 LPV-250 ERAIM 99.9 98.4 100 100 Note: ERAIM coasting time is limited to 30 minute maximum in Tables 8-4, 8-5 and 8-6

As shown in Tables 8-3 through 8-5, average availability is significantly better than the fractional coverage achieved when 99.5% availability is required at any given location. For example, Table 8-3 shows that the average availability for the current GPS constellation is 99.5% when ERAIM is used and the error model from Case #3 is assumed. In contrast, the fractional coverage is only 69.5%. In addition, the availability for LPV-250 is much better than the availability for LPV-200. Once again, consider the results for Case #3 and the current GPS constellation. The average availability for ERAIM is only 96.7% for LPV-200, but this rises to 99.5% for LPV-250. Finally, ERAIM does provide meaningful augmentation. For our favorite example, it improves availability from 98.7% to 99.5%. For all of these reasons, single constellation ERAIM is promising for military application and requirements.

96 Appendix A. GPS III Integrity Enhancements

As describe in Section 1, the GPS program is planning integrity enhancements for the core GPS constellation. One objective of the GEAS effort is to make sure that these enhancements yield performance improvements for civil aviation. Corollary objectives are to ensure that similar changes to other GNSS constellations also yield aviation benefit. This Appendix focuses on integrity planning within the GPS program office.

The enhancements to GPS integrity are motivated by an assessment in the February 2000 GPS Operational Requirements Document (ORD). This document states that one deficiency of GPS II was the inability to support aviation operations without additional integrity augmentation [Kovach].

The concept was developed, in part, based on a joint GPS Wing and DOT/FAA Integrity Failure Modes and Effects Analysis (IFMEA) study. This and previous studies showed that the primary historical integrity failure modes were due to Space Segment (SS) run- away clock faults and errors in the data and commands uploaded by the Control Segment (CS). If those integrity failure modes could be eliminated, these results suggested that the level of integrity provided by GPS could be improved to better than 1 - 1 x 10-7/hr for the portion of the constellation in view of a terrestrial or airborne user. This is a level of integrity that can directly support aviation operations down to Category I precision approach, according to the Standards and Recommended Practices (SARPS) published by the International Civil Aviation Organization (ICAO). This level of integrity can also support the integrity needs of many other non-aviation applications.

The feasibility of detecting and correcting for satellite clock faults has already been demonstrated by the clock monitoring capabilities provided aboard the Block IIR and IIR-M satellites. Various improvements made to the CS upload procedures over the years have demonstrated the feasibility of preventing upload errors. It is primarily a matter of applying the necessary degree of rigor during development of GPS III to achieve the integrity goals.

An important consideration to note is the definition of what magnitude of error constitutes an integrity failure. The classic standard applied to Block II is 30 meters or 4.42 times the broadcast User Range Accuracy (URA) value, whichever is less. In the GPS III era, an integrity failure will be defined by a limit of 5.73 times the broadcast URA. This will typically be in the range of 2-7 meters. Hence, more attention will have to be paid to preventing and detecting smaller magnitude errors than in Block II.

GPS III will need to support an overall time-to-alert TTA of six seconds (between onset of an integrity failure and an alert to the user) to support Category I precision approach. The allocation to the User Equipment (UE) is 0.8 seconds and the allocation to the SS and CS is 5.2 seconds (output from the satellite antenna).

97 A.1 Space/Control Implementation

In general, the GPS III SS/CS implementation approach is for the Block III satellites and the GPS III Control Segment (“OCX”) to assure the integrity of their own functions.

The Block III satellites will be equipped with built-in capabilities to detect clock failures and other on-board faults, rapidly disable the affected ranging signals, and report the problem to the Control Segment for corrective action. The primary means of rapidly disabling a signal is to transmit non-standard code (NSC) in lieu of the standard Pseudorandom Noise (PRN) code. In addition, other means can be used, such as simply ceasing to transmit the erroneous signal, if they result in a timely and unambiguous alert to the UE to stop using the signal. By detecting most satellite faults on board, the TTA can be minimized, which also minimizes the exposure of users to a potential integrity failure. In some cases a developing failure can be detected prior to exceeding the integrity limit, thus preventing an integrity failure in the first place.

Integrity within the OCX will be focused on validating commands and uploads before they are transmitted to the satellites, thereby preventing errors from propagating to the satellites and the ranging signals. Particular emphasis will be placed on validating the URA-related data in the upload.

Some cross-checks between the segments will be necessary. For example, the OCX will be responsible for detecting and correcting slow drifting satellite clock errors and ephemeris errors that are undetectable aboard the satellites (i.e., just like the CS does today with its contingency upload process). In this case, the OCX will need detect these trends and correct these errors before they become integrity failures, because the OCX will generally not be able to react to an integrity failure within the TTA.

Other cross-checks may be desirable. For example, a satellite could ensure that it is set unhealthy by the OCX before the satellite executes a command that could cause erroneous signals (e.g., a maneuver). Similarly, CS functions used to monitor Block II satellite integrity performance could be retained during the GPS III era as a backup monitoring capability. This backup capability, coupled with rapid commanding via crosslinks between satellites, could provide additional insurance against unexpected satellite anomalies.

A.2 Signal-In-Space (SIS) Implementation

Because the legacy NAV messages have very few spare bits, the GPS III integrity concept includes the idea of using the existing URA parameters in the NAV messages instead of defining new parameters. To enable this re-use, a single-bit Integrity Status Flag (ISF) will be added to the NAV message for each signal. The ISFs will indicate the level of integrity assurance provided for the URA parameters broadcast by a satellite so that a receiver can distinguish between legacy (1 - 1 x 10-5/hr/SV) and assured (1 - 1 x 10- 8/hr/SV) levels of integrity.

98

Note that the primary use of the ISF is to indicate the near-term integrity capability of the satellite and the CS with respect to the transmitted SIS. The ISF is not an integrity warning or alert in the classic sense because a NAV message containing an ISF takes too long to transmit to support a 5.2 sec time-to-alert. As described previously, the primary integrity warning (alert) mechanism will be to transmit NSC in lieu of the standard PRN code.

For the legacy NAV messages, the ISF bits were chosen from bits that existing Block II satellites already broadcast as a fixed value of zero (i.e., bit 23 of the TLM word, see IS- GPS-200). Therefore, zero is defined as the "legacy integrity" state. ISF bits for the modernized messages were chosen to be in close proximity to the URA parameters that they reference.

During the constellation build-up period, the ISF for all GPS III satellites will be set "off" until an initial operating capability (IOC) for GPS III integrity is declared. Similarly, the ISF's for newly launched satellites will be set "off" until the integrity capability aboard the satellite passes all required on-orbit testing and is declared operational. The ISF could also be set to "off" for a GPS III satellite that has a failure in its on-board monitoring systems but otherwise supports the legacy integrity capability. The satellite would then still be usable by non-integrity users, or by users with an independent source of integrity monitoring like RAIM.

A.3 Receiver Implementation

Receivers will need to use position domain integrity algorithms similar to those defined for the FAA WAAS system in RTCA/DO-229. The receiver will calculate a real-time estimate of position error, the Protection Level (PL), and will then compare that PL to the integrity requirement for the current operation, the Alert Limit (AL). If the PL equals or exceeds the AL, the receiver will issue an alert to the user and/or using systems that the integrity of the current position solution is not acceptable for the operation being performed. The details of the GPS III PL algorithms are still being developed; and will need to be thoroughly reviewed by the civil aviation community before they can be finalized.

Receivers will not require any special algorithms to react to the integrity “do not use” alerts or indications issued by the GPS III satellites, except to monitor the status of the ISF. When a satellite broadcasts NSC or ceases transmitting a signal, a receiver will inherently be unable to maintain track of the signal. Similarly, existing “do not use” indications described in IS-GPS-200, such as, invalid parity, SV health bits set unhealthy, etc., will still need to be monitored by a receiver in the GPS III era as they are today.

A.4 Development Assurance

99 As with any system, integrity is not just a product of the functions of the system, it is also a product of the assurance processes used to develop the system. GPS III is being developed using integrity assurance processes patterned after those used for aviation. Specifically, SS and CS analyses will be conducted using guidance provided in the Society of Automotive Engineers (SAE) Aerospace Recommended Practice (ARP) 4754, “Certification Considerations for Highly-Integrated or Complex Aircraft Systems,” and SAE ARP 4761, “Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment.” Similarly, software and complex hardware development will be conducted using guidance provided in RTCA DO-278, “Guidelines for Communication, Navigation, Surveillance, and Air Traffic Management (CNS/ATM) Systems Software Integrity Assurance” and RTCA DO-254, “Design Assurance Guidance for Airborne Electronic Hardware.”

100 Appendix B. GNSS Performance Characteristics and Information Needed to Support ARAIM for LPV-200

Other sections of this report have described the use of ARAIM with satellites from multiple GNSS core constellations. In order for ARAIM to provide the integrity, continuity, accuracy, and availability performance needed for LPV-200 operations, GNSS core constellation satellites must have certain performance characteristics. Furthermore, certain information must be known about satellite signal performance. This appendix describes a list of the needed performance characteristics or information. One set of performance characteristics and information is general. The other performance characteristics and information are grouped according to which LPV-200 requirement they primarily support: integrity, continuity, accuracy, or availability. Certain performance characteristics are needed to support more than one LPV-200 requirement, so the grouping is not strict.

B.1 General GNSS Characteristics and Information

General core constellation performance characteristics and information that are needed are as follows:

• Known difference in coordinate systems. GNSS core constellations are not expected to use a common coordinate system. However, the difference in coordinate systems must be known by user equipment so that user equipment can convert satellite positions into a single coordinate system.

• Time reference. Core constellations do not need to use a common time reference, and the differences between time references do not need to be broadcast, because user equipment can solve for the time difference. However, availability might be slightly improved if the time differences between core constellation pairs (or equivalently, differences from a known reference time) are broadcast. If the time differences are broadcast, the integrity of the broadcast time differences must be known, i.e., the probability that time difference error is greater than a certain tolerance.

• Stability in core constellation time reference. Each core constellation time reference must be stable relative to a theoretical absolute time reference. That is, the rate of change of core constellation time relative to an absolute time scale must be limited.

• Code/carrier coherence and signal frequency coherence. GPS interface specifications [IS-GPS-200D, IS-GPS-705, IS-GPS-800] state that all signal elements (codes, carriers, and data) transmitted by a given satellite must be coherently derived from the same onboard frequency source. The possibility of GPS fault conditions that result in incoherence can be taken into account by ARAIM algorithms, but the probabilities of incoherence must be known and small. It is highly desirable that all signal elements transmitted by a given

101 satellite in all core constellations are derived from the same onboard frequency source. If not all signal elements are derived from the same onboard frequency source, then nominal performance (magnitude of incoherence) must be known by user equipment, as well as characteristics of faulted performance. See below for further explanation.

B.2 Characteristics and Information to Support LPV-200 Integrity

Core constellation performance characteristics and information needed mainly to support LPV-200 integrity requirements are as follows:

• Fault-free error bounding. Achieving the required ARAIM missed detection probability is based on the assumption that the distribution of URE (excluding fault conditions) is bounded by a Gaussian distribution whose standard deviation is known. A concept of distribution bounding is defined in [DeCleene]. In the case of GPS, the standard deviation of range error is assumed to be no larger than the URA. A characterization of URE similar to URA with the same or a similar property is needed for other core constellations.

• Correlation of URE across satellites. Achieving the required ARAIM missed detection probability is based on the assumption that URE for different satellites is uncorrelated. If URE correlation is nonzero in the absence of fault conditions, ARAIM may need modification. If the probability of multiple fault conditions or consistent faults is non-negligible, some monitoring by an external system such as a Civil GNSS Monitoring System (CGMS) may be needed as discussed in Section 3.

• Probability of fault condition onset. Achieving ARAIM integrity requirements is based on the assumption that the probability of onset of a fault condition per unit time is known for each satellite. The value could either be a constant (which could be constellation- or satellite-dependent) or could be broadcast in the ISM). If broadcast in the ISM, the ISM contents would need to have assured integrity, e.g., protected by a Cyclic Redundancy Check (CRC).

• Probability of simultaneous fault conditions on multiple satellites. Achieving the required LPV-200 integrity performance using ARAIM is dependent on an assumption of the probability of existence of simultaneous fault conditions on different satellites. If the probability is too large, then a mitigation may be needed as discussed in Section 3, or else ARAIM must be designed to account for multiple faults in a single constellation as described in Section 2.

• Characterization of nominal, deformed, and severely deformed signals. GPS signals are known to have range measurement bias errors that vary slightly as a function of user equipment characteristics, even when no fault condition is present [Phelts]. The same is likely true of other core constellation satellite signals. GPS fault conditions thought to be possible on current GPS satellites are estimated to

102 result in errors described in ICAO Annex 10, Attachment D [ICAO1]. Nominal and deformed signals must be characterized for all GNSS core constellations. See “Knowledge of range measurement bias errors” below.

• Probabilities of onset of deformed and severely deformed signals. The probability of onset of deformed signals per unit time for each satellite must be known by user equipment so that ARAIM availability criteria are set to achieve the required detection probability. If the probability of severely deformed signals is non- negligible, that probability must also be known. As with other fault conditions, the probabilities could be assumed to have fixed values, or values could be contained in the ISM.

• Probability of onset code-carrier divergence on each frequency. GNSS user equipment is expected to use dual-frequency carrier smoothing to reduce the effects of airborne multipath and noise on range measurements. If code/carrier divergence occurs at the output of the satellite antenna, it could result in a fault condition. The probability of onset of code-carrier divergence per unit time must be known for each satellite by user equipment. As with other fault conditions, the probabilities could be assumed to have fixed values, or values could be contained in the ISM.

• Probability of frequency incoherence for signals on different frequencies. If frequency incoherence occurs, it could result in a fault condition. The probability of onset of frequency incoherence per unit time must be known for each satellite by user equipment. As with other fault conditions, the probability or probabilities could be assumed to have fixed values, or values could be contained in the ISM.

• Duration of anomalous conditions. The knowledge of the duration of each type of anomalous condition is used in conjunction with its onset probability in order to estimate the a priori probability of each type of signal fault condition. The a priori probabilities of signal fault conditions are used to derive ARAIM’s required conditional missed detection probabilities. The duration of each signal fault condition must be known for each core constellation signal fault type. In addition, the product of the duration of anomalous conditions of each type and the probability of onset of an anomalous condition of that type must be limited. If the sum of the products over anomalous condition types is much larger than 10-5, then the assumption that only a single fault will exist during an LPV-200 approach is not valid6. In that case, ARAIM may need to be designed to detect fault conditions on two satellites instead of single-satellite fault conditions.

6 If the probability of existence of a single fault condition is p for a given single satellite and N satellites are used in the position solution, the probability of two fault conditions existing during an LPV-200 approach

⎛ N ⎞ 2 N −2 is ⎜ ⎟ p ()1 − p . If N is 20 (e.g., if both GPS and Galileo satellites are used), then the ⎝ N − 1⎠ probability of two simultaneous fault conditions is 1.9 × 10-8. If p is much larger than 10-5, then the probability of two faults would be a significant portion of the total integrity risk budget.

103

• Knowledge of range measurement bias errors. By definition, range measurement bias errors depend on user equipment characteristics such as precorrelation bandwidth, filter order and type, and correlator spacing. In order for the user equipment vertical and horizontal protection levels to be assured to bound user position error, bounds on these range measurement bias errors must be known and accounted for in UE VPL and HPL.

B.3 Characteristics and Information to Support LPV-200 Continuity

Continuity risk (the probability of an unpredicted loss of LPV-200 service during an approach) is a combination of contributions from unpredicted satellite signal outages, false integrity alerts, true integrity alerts, and other causes. Core constellation performance characteristics and information needed mainly to support the LPV-200 continuity requirement are as follows:

• Probability of onset of unpredicted signal outages. A loss of a useable satellite signal results in a loss of LPV-200 service if the satellite is “critical” to LPV-200 service (by definition). The probability of onset of unpredicted signal outages per approach must be limited in order that the LPV-200 continuity requirement can be achieved. The probability of onset of unpredicted signal outages must also be known for each satellite so that the total acceptable probability of unpredicted loss of service per approach can be allocated among the contributors to it. The allocations are used to derive ARAIM detection thresholds.

• Probability of onset of multiple unpredicted satellite outages. A simultaneous loss of multiple satellite signals is likely to cause a loss of LPV-200 service. The probability of onset of unpredicted loss of multiple satellite signals (e.g., due to a common cause) per approach must be limited, and also must be known so that the total acceptable probability of unpredicted loss of service per approach can be allocated among its various contributors.

• URE time constant. The URE time constant, together with other URE characteristics, determine with what probability per approach the ARAIM decision statistic will exceed a threshold and result in an ARAIM alert when no fault condition is present. Such an alert is called a false alert, and its probability is a contribution to ARAIM continuity risk when the apparent source of the alert cannot be excluded. The URE time constant must be known in order to allocate a portion of the total allowable continuity risk to false integrity alerts and derive ARAIM detection thresholds.

B.4 Characteristics and Information to Support LPV-200 Accuracy

Core constellation performance characteristics and information needed mainly to support the LPV-200 accuracy requirement are as follows:

104 • RMS URE must be limited to somewhat less than 1 m. The exact requirement will depend on the total number of useable satellites. If a larger number of satellites are useable, then user-to-satellite geometry will be better, and somewhat larger ranging errors are tolerable in order to achieve the same overall position accuracy. RMS URE must also be known by UE in order to set detection thresholds. URA is one candidate estimate of RMS URE, but if URA is conservative, then UE knowledge of a separate, smaller realistic RMS URE would result in increased availability.

• Frequency separation for the signals used to derive “ionosphere-free” range measurements. GNSS user equipment conducting LPV-200 approaches is expected to use the “ionosphere-free” combination of range measurements at two different frequencies in order to remove most of the effect of ionospheric delay. If the two frequencies are too close together, the linear combination that removes ionospheric delay will have a large amplifying effect on user equipment multipath and noise. For example, the GPS L2 and L5 combinations would multiply the effect of user equipment multipath and noise at L2 and L5 by factors of 12.26 and 11.26. Therefore, the two frequencies must be adequately separated.

B.5 Characteristics and Information to Support LPV-200 Availability

Core constellation performance characteristics and information needed mainly to support LPV-200 availability requirements are as follows:

• Frequency of onset of predictable signal outages. Signal outages can result in loss of service as noted above. Predicted signal outages should be advertised to users via the equivalent of Notice Advisories to Navstar Users (NANUs) and/or Notices to Airmen (NOTAMs) so that users will not plan to rely on signals that will not be useable.

• Duration of signal outages. The combination of the frequency of signal outages and their durations determines the fraction of time that a signal is not useable.

• Core constellation signal geometry. The combination of the number of satellite signals, their geometry, and signals are useable is a major contributor to service availability from a given core constellation. If many core constellations can be used, the contribution required from each constellation to support LPV-200 service availability is less.

105 Appendix C. Candidate Mitigations of Consistent or Other Multiple- Signal Fault Conditions

In order to avoid signal faults on multiple GPS or other core constellation satellites, the estimates of EOPs/EOPPs and antenna phase center locations must be valid. Existing processes for estimating EOPs/EOPPs and MS antenna phase center locations and communicating them to the GPS MCS already include many quality checks. However, a candidate set of improvements has been suggested for EOPs/EOPPs by Dr. William Wooden, Dr. Bill Tangren, and Dr. Brian Luzum of the U.S. Naval Observatory (USNO), Todd Kawakami of the National Geospatial-Intelligence Agency (NGA), and David Hoki of MITRE. A subset of these improvements is as follows:

• Modeling improvements • Obtaining more timely observation data • Multi-person reviews of estimates at USNO • Multi-person reviews of estimates at NGA • Consider MCS retrieval of EOPs from USNO, EOPPs from NGA, and comparison with other sources

A list of additional improvements to make the process more secure has been designated For Official Use Only. Any of these improvements may be worthwhile independent of any concern about multiple signal faults. However, even if improvements are made, the theoretical possibility still remains that a downstream fault within a core constellation MCS might lead to a multiple-signal fault condition that the residuals test associated with ARAIM does not reliably detect (at least without using satellites from a second constellation). These errors could manifest as late as just before upload of navigation message parameters, or a command, to satellites. If these errors exist, they would be observable in the MS-to-satellite range residuals associated with already-uploaded navigation message data or with data about to be uploaded. A mitigation that detects or prevents errors in range residuals will address all non-UE causes of multiple signal faults (except possibly in the case of signal quality distortions, which may affect MS measurements and UE measurements differently) because error in range residuals is what causes position error. If the mitigation addresses the effect, it does not matter what the cause is.

Potential methods of assuring that multiple signal fault conditions do not pose a risk to ARAIM users are as follows:

• Ground-based algorithm checks on MS-to-satellite range residuals at core constellation MCS(s). • Ground-based algorithm checks on ground-station-to-satellite range residuals at other locations such as a GNSS Civil Monitoring System (GCMS) • Airborne user equipment use of satellites from different constellations, based on the assumption that a set of consistent faults will be limited to a single constellation.

106 • In conjunction with any of the above, the time history of measurements could be leveraged to find a test with adequate sensitivity

In order for an MCS or GCMS algorithm to be effective for single-constellation ARAIM users, three conditions must hold:

1. The algorithm must be able to detect or prevent multiple signal fault conditions with the required missed detection probability within the required TTA and with an acceptable false alert probability.

2. The range residuals used by the algorithm checks are not themselves corrupted, or at least not corrupted in an undetectable way.

3. The software and hardware that implements the algorithm checks must faithfully implement the intended algorithm, i.e., the software and hardware must not have hidden design or implementation flaws that could result in a missed detection. This second condition is usually assured through the use of design assurance processes in RTCA guidelines referenced above.

(A variation on the use of algorithms is human review of range residuals associated with the to-be-uploaded or already-uploaded navigation message parameters. But again, human review would be effective only if the range residuals are not corrupted.)

Of course, ARAIM can be safely used for LPV-200 operations provided the risk of these conditions failing to hold is acceptably small.

C.1 Condition 1: Algorithm Performance Is Adequate

What is needed from an MCS or GCMS algorithm(s) is to assure that the probability of multiple range errors causing user position error greater than the UE ARAIM protection levels is a small fraction of the tolerable integrity risk of 2 × 10-7 per approach.

Two approaches are possible:

• Use specific algorithms tailored to particular threat conditions, such as one algorithm aimed specifically at earth orientation errors (which might result in consistent errors), and another algorithm at detecting more general instances of multiple-signal fault conditions • Use a single algorithm that detects all multiple-signal fault conditions, including consistent errors, that could pose a threat to ARAIM users

A possible advantage of using two separate algorithms is as follows. An algorithm capable of detecting consistent faults must shoulder the entire responsibility of detecting the fault because no credit can be given for ARAIM’s ability to detect them. In contrast, an algorithm that detects other multiple-signal fault conditions that are not consistent

107 faults may be able to have a less stringent missed detection probability, because ARAIM has a nonzero probability of detecting non-consistent multiple-signal fault conditions. If the second algorithm has a less stringent missed detection probability, its availability could be increased.

C.2 Condition 2: Range Residuals are Not Corrupted

In order to establish that condition 1 holds, it must be established that range residuals are not corrupted in an undetectable way at MSs, in transmission to the MCS, or at the MCS. On the WAAS program, FAA made a determination that the following is not a credible fault: that a common reference receiver software design flaw would cause undetectable measurement errors and lead WAAS to broadcast hazardously misleading information, if measurement data are available from redundant GPS reference receivers at multiple (three or more) geographically separated sites. That is, it was accepted that algorithms in a centralized master station could be devised that would avoid the broadcast of hazardously misleading information by WAAS, even if a common software design flaw existed in WAAS reference station receivers. The WAAS Master Station integrity assurance algorithms had to be (and were) implemented in software qualified to the appropriate design assurance level. It is believed that this finding could be applied to the GPS MSs and OCS as well.

C.3 Condition 3: The Implementation is Consistent with the Intended Algorithm

As stated in Section 3.2, one method that could be used to assure that a ground system software implementation is consistent with the intended algorithm is to qualify the software to design assurance level 2 of DO-278. (Prior to the development of DO-278, DO-178B was used for ground system software such as WAAS. DO-178B applies to software in airborne systems. Level 2 of DO-278 Level 2 is equivalent to Level B of DO-178B.) If the ground system contains complex hardware, one method of obtaining the required degree of design assurance is to develop the complex hardware to DO-254.

As is done in other systems, an architecture could be selected so that only a small portion of the software needs to be qualified to Level 2 of DO-278. This can be accomplished by partitioning or an equivalent method of ensuring that the remainder of the software does not interfere with the function of the algorithm(s) that detect or prevent hazards of concern to ARAIM. The algorithm(s) would also need to be protected from a design flaw in the operating system in the processor containing the algorithm(s). A straightforward method of assuring that the risk of operating system misbehavior is small is to use an operating system qualified to Level 2 of DO-278 or Level B of DO-178B. Such operating systems are commercially available. Some examples are Green Hills Software Inc. INTEGRITY®-178B, LynuxWorks LynxOS-178™, and Wind River Systems VxWorks DO-178B Platform.

108 The operational control segment software that will exist in the intended timeframe for use of ARAIM has not yet been developed. Other than to support the use of ARAIM for LPV operations, there is no reason for qualifying the future OCS software to Level 2 of DO-278 or Level B of DO-178B until the GPS IIIC timeframe, when GPS is expected to provide a high degree of integrity assurance without augmentation. Thus, alternative methods of obtaining the equivalent level of design assurance may be needed if the selected mitigation is implemented in the GPS MCS. An alternative method that was used in WAAS development is a safety-directed approach including Safety-Directed Analysis (SDA) and Qualitative Analysis (QA). The safety-directed approach is described in [CAST]. It is unclear which method (DO-278 or a safety-directed approach) would require the least amount of work.

C.4 Implementing Checks for Multiple-Signal Fault Conditions in GNSS Master Control Stations Vs. in a GNSS Civil Monitoring System

As noted above, checks for consistent errors could be made in either GNSS MCSs or in a GCMS. If checks are made in GNSS MCSs, they could be made prior to the upload of navigation message parameters to satellites. In that case, consistent errors large enough to pose a threat to ARAIM users could be prevented rather than detected. Thus the required time-to-alert would be met. The disadvantage of implementing checks in GNSS MCSs is that GNSS core constellation designers may not be interested in using RTCA design assurance standards (prior to the GPS Block IIIC timeframe, when it is assumed that they will be used). Complying with design assurance standards could involve developing software in accord with DO-278 Level 2, or alternatively using a safety- directed approach. Both methods involve additional work and cost compared to not using design assurance techniques.

A GCMS could also implement algorithm checks. A GCMS developed by FAA could be developed using whatever design assurance techniques are desired. The difficulty associated with implementing checks in a GCMS is meeting the time-to-alert. A GCMS would presumably not be able to check for consistent range residuals until the core constellation signals are also being used by users. In that case, there would not be sufficient time to alert ARAIM users or the core constellation operators of the problem, unless, for example, users were immediately alerted in an ISM broadcast by SBASs and/or GBASs. Note that if an SBAS or GBAS exists, LPV-200 service could be provided through the SBAS or GBAS with higher availability. A goal of ARAIM is not to depend on SBAS or GBAS. However, such a method may have utility in an SBAS GEO footprint outside an LPV-200 coverage area, or with a reduced-capability SBAS.

Other alerting methods that have been considered including notifying air traffic control towers. However, air traffic control towers do not exist for all runways.

The TTA might also be met if GNSS core constellation operators would provide navigation messages to the GCMS for checking prior to upload. However, GNSS core

109 constellation operators would most likely not be willing to submit their navigation message parameters to such a check by an external system prior to upload.

A third method of using a GCMS and meeting the time-to-alert is to ensure that in a GNSS core constellation, only one satellite at a time is uploaded with new navigation message parameters or given a command that could rapidly alter its range error. In that way, a GCMS would have time to detect one signal fault condition and alert users or the GPS MCS before the onset of a second fault in most cases, i.e., when the second fault is due to a satellite malfunction. Such a strategy would require a change to existing GPS operational procedures and thus may not be accepted.

A fourth method of using a GCMS is to somehow ensure that error due to multiple-signal fault conditions will manifest (grow) slowly. Currently, the GPS constellation usually transitions to a new issue of data (including new ephemeris and clock parameters) on all satellites simultaneously, often at two-hour intervals. ARAIM user equipment could compare old and new core constellation satellite positions and clocks when new data are issued. If changes on multiple satellites are sufficiently small, then it could be deduced that multiple-signal fault conditions do not exist or are growing slowly. In conjunction with this check, ARAIM user equipment could also use the ISM message to ascertain whether multiple-signal fault conditions exist. If this mitigation is selected, then the ISM message would have to be protected from corruption by un-trusted software, hardware, and transmission errors. Once ISM contents are created in trusted software and hardware, a possible method of protecting ISM contents during transmission through un- trusted systems is via a cyclic redundancy check (CRC).

Alternatively or in addition, if it is accepted that errors in different core constellations will be independent and not consistent across constellations, then a cross-check between range or position measurements from different core constellations could detect faults within any single constellation, and even single faults in each constellation. See Section 4.

C.5 Algorithm For Detecting Consistent Faults Associated With Incorrect Earth Orientation

Consistent faults associated with an incorrect earth orientation can be detected by a comparison of “true” MS positions based on surveyed antenna locations and their computed positions based on satellite information (from MS-to-satellite measurements and navigation message parameters either from currently broadcast navigation messages or a candidate navigation message about to be uploaded). An example and preliminary algorithm follows. The following notation is used:

• m identifies a MS • M is the total number of MSs

110 • Pm is a 3-vector from the center of the earth to the “true” x-, y-, and z-position of th an antenna at the m MS. Express Pm in an earth-centered-earth-fixed coordinate frame. • Pm,c is a 3-vector from the center of the earth to the computed position solution for the same antenna at MS m (the first three elements of the solution for the position and clock offset in the same coordinate frame) • em = Pm,c – Pm, the three-vector of error in the computed antenna location of the mth MS • Cm is the estimated covariance of the error in the computed position solution Pm,c (containing 9 of the 16 elements of the usual position/clock covariance matrix) P × e See Figure C-1. The normalized vector cross-product m m is a unit vector in Pm ⋅ em ⋅ sinθ the direction of the axis of an apparent earth rotation error.

Figure C-1. True and Computed Positions of mth MS Antenna Phase Center

e ⋅ sinθ The magnitude of the apparent earth orientation error in radians is m . (More Pm properly, the earth orientation error in radians is the length of a curved line on the earth’s surface, assumed spherical, from Pm to the sub-point of Pm,c projected onto the earth’s surface, divided by the radius of the earth. But for small distances, the length of the curved line is nearly equal to the straight-line distance between the two points.) So the apparent earth rotation error in radians as viewed by the mth MS can be characterized by P × e e ⋅ sinθ P × e m m ⋅ m = m m (C-1) P ⋅ e ⋅ sinθ P 2 m m m Pm

The test for existence of earth rotation error will compare a weighted average of the apparent earth rotation error statistics over all MSs to a threshold chosen to satisfy a missed detection probability pmd. The entire burden of detecting consistent errors will

111 need to be borne by this (or another) algorithm if it cannot be assumed that the a priori probability of a fault leading to consistent errors is less than 1. Such a situation will exist if both the following conditions hold:

• Some software in MSs or in the MCS is not qualified to Level 2 of RTCA DO- 278 or equivalent and could corrupt the measurements or the MCS-estimated ephemeris and clock parameters, and • It cannot be ruled out that a design fault in that software could cause consistent errors.

FAA considers it invalid to assume that the probability of a software fault is less than 1 because a software fault could manifest whenever a particular triggering condition occurs (which may be a non-random event). If it cannot be assumed that the a priori probability of consistent faults is less than 1, the required probability of missed detection, pmd, for the algorithm to detect consistent faults will be determined as a result of an allocation of the allowable integrity risk of 2 × 10-7/approach among single-signal and multiple-signal fault types.

What is of interest is not the direction but only the magnitude of the weighted average of the apparent earth orientation error. The magnitude of the weighted average of the apparent earth orientation error is the sum of the squares of the x-, y-, and z-components of the weighted average. Define weights wm,x wm,y and wm,z to be the inverse squares of

Pm × em the variances of the x-, y, and z-components of 2 . (The weights can be computed Pm based on Cm and Pm.)

The weighted average apparent earth rotation error magnitude in radians (a point estimate) is as follows:

2 2 2 ⎛ M ⎛ ⎞ ⎞ ⎛ M ⎛ ⎞ ⎞ ⎛ M ⎛ ⎞ ⎞ P × e ⎜ Pm × em ⎟ P × e ⎜ w ⎜ m m ⎟ ⎟ w ⎜ ⎟ ⎜ w ⎜ m m ⎟ ⎟ ⎜ ∑ m,x ⎜ 2 ⎟ ⎟ ⎜ ∑ m,y ⎜ 2 ⎟ ⎟ ⎜ ∑ m,z 2 ⎟ m=1 P m=1 P m=1 ⎜ P ⎟ ⎝ m ⎠ ⎝ m ⎠ y ⎝ m ⎠ α = ⎜ x ⎟ + ⎜ ⎟ + ⎜ z ⎟ (A-2) ⎜ M ⎟ ⎜ M ⎟ ⎜ M ⎟ ⎜ ∑ wm,x ⎟ ⎜ ∑ wm,y ⎟ ⎜ ∑ wm,z ⎟ ⎜ m=1 ⎟ ⎜ m=1 ⎟ ⎜ m=1 ⎟ ⎝ ⎠ ⎝ ⎠ ⎝ ⎠

The angle α is the length of a vector that could be expressed in any coordinate system, including a coordinate system where its y- and z-components are 0. In that coordinate system, α can be expressed as the absolute value of a weighted sum of normally distributed random variables (i.e., the absolute value of the quantity inside the first set of parentheses in the above expression), assuming that MS measurement errors and therefore their contributions to apparent earth rotation error are normally distributed. Therefore, a (1 – pmd) bound on the magnitude of true earth rotation error in radians is as follows:

112

−1 ⎛ pmd ⎞ α + Q ⎜1 − ⎟σ α (A-3) ⎝ 2 ⎠

-1 where Q (·) is the inverse cumulative normal distribution function and σα is the standard deviation of the error in the point estimate α. Therefore a (1 – pmd) upper bound on horizontal position error at the earth’s surface is as follows:

⎛ ⎛ p ⎞ ⎞ ⎜ −1 md ⎟ (A-4) ⎜α + Q ⎜1 − ⎟σ α ⎟ Pm ⎝ ⎝ 2 ⎠ ⎠

As noted above, the HAL for LPV-200 flight operations is 40 m. The entire tolerable horizontal error of 40 m should not be allocated to earth orientation errors, but some portion of it such as 28 m may be acceptable. A rationale is as follows: for LPV-200 approaches, the 95th percentile of vertical position error is 4 m as noted in Section 2. Therefore the probability that fault-free vertical position error exceeds, say, 12 m, is about 2 × 10-9 assuming a normal distribution. Fault-free horizontal GPS position error is generally smaller than GPS vertical position error. Therefore, in the fault-free case, the horizontal position error will also be less than about 12 m with a very high probability. The margin between 40 m and 12 m is 28 m.

The above algorithm is notional because it does not account for the fact that MS-to- satellite measurements are subject to measurement bias errors as well as other errors that are reasonably approximated by zero-mean Gaussian distributions. In order to make the measurement bias errors as small as possible, MS receivers should be selected that have judiciously chosen bandwidths, correlator spacing, and discriminator functions.

An algorithm such as the one described above would have excellent observability of earth orientation errors if satellite range measurements are available from the 6 US Air Force and 11 National Geospatial-Intelligence Agency (NGA). If all satellite range residuals were consistent with an incorrect earth orientation, the resulting user position errors would be in the horizontal plane rather than the vertical dimension. If user horizontal position error at the earth’s surface were large enough to be hazardous, it would have to be a significant fraction of the LPV-200 HAL of 40 m. As an example, if earth orientation error were large enough to result in a 10 m horizontal position error for a user near the earth’s surface, the resulting MS-to-satellite range residuals as viewed by the 6 USAF and 11 NGA MSs would have a distribution similar to that in Figure C-2. However, the nominal MS-to-satellite range residual distribution is approximately a zero- mean normal distribution with a standard deviation of about 0.8 meters, shown in Figure C-3. The distribution of residuals is quite different in the two cases.

113

Figure C-2. Distribution of Monitor-Station-to-Satellite Range Residuals (in meters) for a Particular Case of Incorrect Earth Orientation

Figure C-3. Probability Density Function of Zero-Mean Gaussian Random Variable With a Standard Deviation of 0.8 m (Comparable to Distribution of MS-to- Satellite Range Residuals in Fault-Free Case)

An algorithm capable of detecting earth orientation errors would not, however, be able to detect the more general case of multiple-signal fault conditions in which not all errors are consistent. Algorithms aimed at detecting the more general case of multiple-signal fault conditions are under study. If implemented in conjunction with an algorithm that detects consistent signal faults, some credit could be taken for the fact that ARAIM has a probability of detecting non-consistent fault conditions that is greater than zero.

114 Appendix D. List of GNSS Evolutionary Architecture Study Panel Members

Deane Bunce (Co- FAA ATO-W Chair) Leo Eldredge FAA ATO-W Deborah Lawrence FAA ATO-W Calvin Miles FAA ATO-W Pradipta Shome FAA ATO-W Kevin Bridges FAA AVS Ken Alexander FAA AVS Hamza Abduselam FAA AVS Tom McHugh FAA ATO-P Bill Wanner FAA ATO-P David Schoonenberg NSSO Karen Van Dyke RITA/Volpe Ed Sigler GPS TAC Joe Palermo JPDO/BAH Jiyun Lee GPS TAC Tim Murphy Boeing CAG Victor Lin GWing/Aerospace Karl Shallberg GREI Boris Pervan IIT John Dobyne G-WIng/ARINC Karl Kovach G-Wing/Aerospace Chris Hegarty MITRE Young Lee MITRE JP Fernow MITRE Frank Van Graas Ohio University Pat Reddan Zeta AJ van Dierendonck AJ Systems Juan Blanch Stanford University Todd Walter Stanford University Per Enge (Co-Chair) Stanford University

115 References

Axelrad P. and Parkinson, B. W (1988). “Autonomous GPS Integrity Monitoring Using the Pseudorange Residual.” Navigation 35 No. 2: 255-274.

Blanch, J., Ene, A., Walter, T., Enge, P. “An Optimized Multiple Solution Separation RAIM Algorithm for Vertical Guidance”. Proceedings of the ION GNSS 2007, Fort Worth, TX, September 2007.

Blanch2, J., Walter, T., Enge, P. “RAIM with Optimal Integrity and Continuity Allocations Under Multiple failures” to be published in IEEE Transactions on Aerospace and Electronic Systems

Brenner, M., “Integrated GPS/Inertial Fault Detection Availability,” Proceedings of The Institute of Navigation 8th International Technical Meeting, Palm Springs, California, September 1995.

Brown, R. G., “GPS RAIM: Calculation of Threshold and Protection Radius Using Chi- Square Methods—A Geometric Approach,” GPS Papers Published in Navigation (Red Book Series), Vol. V, Institute of Navigation, Fairfax, Virginia, 1998.

CAST, Certification Authorities Software Team (CAST) Position Paper CAST-9, “Considerations for Evaluating Safety Engineering Approaches to Software Assurance,” January 2002, available at http://www.faa.gov/aircraft/air_cert/design_approvals/air_software/cast/cast_papers/medi a/cast-9.pdf.

Cohenour, Curtis, and Frank van Graas, ““GPS Orbit and Clock Error Distributions,” NAVIGATION: Journal of the Institute of Navigation, to be published, 2010.

Creel, T. et al., “Summary of accuracy improvements from the GPS Legacy Accuracy Improvement Initiative (L-AII),” in Proceedings of the ION GNSS 2007, Fort Worth, TX, September 2007.

Datta-Barua, S., “Ionospheric Threats to the Integrity of Airborne GPS Users,” Stanford University Ph.D. Thesis, 2007

DeCleene, Bruce, “Defining Pseudorange Integrity—Overbounding,” Proceedings of ION GPS 2000, 19-22 September 2000, Salt Lake City UT, pages 1916–1924.

Edgar, C., Czopek, F., Barker, B., “A Co-operative Anomaly Resolution on PRN-19,” Proceedings of the 2000 13th International Technical Meeting of the Satellite Division of the Institute of Navigation, ION GPS-2000. Proceedings of ION GPS 2000, v 2, pp. 2269-271.

116 El-Arini, B., et al., “Modeling the Effect of Ionospheric Scintillation on SBAS Availability in the Western Hemisphere,” MITRE Paper, MP080294, December 2008.

Enge, P. and Misra, P., “Global Positioning System Signals, Measurements, and Performance,” Ganga-Jamuna Press, 2006.

FAA-AC, Federal Aviation Administration (FAA) Advisory Circular (AC) 20-138A, “Airworthiness Approval of Global Navigation Satellite System (GNSS) Equipment,” 22 December 2003

Gao1, G. X., Akos, D., Walter, T., and Enge, P. ‘GIOVE-B on the Air: Understanding Galileo's New Signals’. Published by Inside GNSS May/June2008

Gao2, G. et al., ‘Methodology and Case Studies of Signal-in-Space Error Calculation: Top-down Meets Bottom-up’, Proceeding of ION GNSS 2009, September 2009, Savannah, GA.

G.A.O. (Government Accountability Office): Global Positioning System: Significant Challenges in Sustaining and Upgrading Widely Used Capabilities, April 30, 2009. http://gao.gov/products/GAO-09-325

G.E.A.S. GNSS Evolutionary Architecture Study, Phase I- Panel Report, February, 2008,

GPS-SPS U.S. Department of Defense, Global Positioning System Standard Positioning Service Performance Standard, 4th edition, September 2008 van Graas, F., and Soloviev A., “Coasting with relative carrier phase RAIM,” in Briefing to GEAS Panel, Palo Alto, CA, Feb. 21–22, 2007.

Gratton et al. ‘Ephemeris Failure Rate Analysis and its Impact on Category I LAAS Integrity’, Proceedings of ION GNSS 2007, September 2007, Fort Worth, TX.

Gratton2, L., Joerger, M., and Pervan, B., “Carrier Phase Relative RAIM Algorithms and Protection Level Derivation,” Journal of Navigation, Vol. 63, No 2, April 2010.

Guo, F., et al, “Precision analysis on orbit and clock of GPS satellites broadcast ephemeris,” Geomatics and Information Science of Wuhan University, Vol. 34, No. 5, May 2009.

Hegarty, C. and E. Chatre, “Evolution of the Global Navigation Satellite System,” Proceedings of the IEEE, December 2008.

117 Hsu , P., Chiu, T., Golubev, Y., Phelts, R. E., “Test Results for the WAAS Signal Quality Monitor,” Proceedings of Position Location and Navigation Symposium, IEEE/ION PLANS, 2008

Huang, J., and van Graas, F., “Comparison of tropospheric decorrelation errors in the presence of severe weather conditions in different areas and over different baseline lengths,” Proceedings of the ION GNSS 2006, Fort Worth, Texas, September 2006.

Hutsell, Steven, Matthew Forsyth, and Charles McFarland, “One-Way GPS Time Transfer: 2002 Performance,” Proceedings of the 34th Annual Precise Time and Time Interval (PTTI) Systems and Applications Meeting, 3-5 December 2002, Reston VA, pp. 69-76.

ICAO1, Annex 10, Aeronautical Telecommunications, Volume 1 (Radio Navigation Aids), Amendment 84, published 20 July 2009, effective 19 November 2009. GNSS standards and recommended practices (SARPs) are contained in Section 3.7 and subsections, Appendix B, and Attachment D.

ICAO2, Navigation Systems Panel (NSP) Working Group of the Whole (WGW) Report, October 2008, Attachment G.

ICD-GPS-800, “Navstar GPS Space Segment/User Segment L1C Interfaces,” Draft IS- GPS-800, 19 April 2006, US GPS Joint Program Office, now called the GPS Wing.

IFOR, Requirements to the Interagency Forum on Operational Requirements (IFOR) for Future Global Positioning System (GPS) Acquisition, Attachment to a Letter by Daniel P. Salvano to IFOR Secretariat, July 26, 2004.

IS-GPS-200D, “Navstar GPS Space Segment/User Segment Interfaces,” 7 March 2006, Air Force GPS Wing, El Segundo, CA.

IS-GPS-705, “Navstar GPS Space Segment / User Segment L5 Interfaces,” IS-GPS-705 with Interface Revision Notice IRN-703-003, 22 September 2005, Air Force GPS Wing, El Segundo, CA.

IS-GPS-800, “Navstar GPS Space Segment/User Segment L1C Interfaces,” 4 September 2008, Air Force GPS Wing, El Segundo, CA.

Jefferson, D. and Y. Bar-Sever, “Accuracy and con-sistency of broadcast GPS ephemeris data,” in Proceedings of the 2000 13th International Technical Meeting of the Satellite Division of the Institute of Navigation, ION GPS-2000. Proceedings of ION GPS 2000, v 2, pp. 2269-271.

Klobuchar, J. A., “Ionospheric Effects on GPS,” Chapter 12 in Global Positioning System: Theory and Applications Vol. I, AIAA, 1996.

118 Konno, H.,“Design of an Aircraft Landing System Using Dual-Frequency GNSS,” PhD. Dissertation, Department of Aeronautics and Astronautics, Stanford University, 2008

Kovach. K. et. al. “GPS III Integrity Concept,” Proceedings of the ION GNSS 2008, Savannah, GA, September 2008.

Lee1, Y.C., “Analysis of the Range and Position Comparison Methods as a Means to Provide GPS Integrity in the User Receiver”, Proceedings of the Annual Meeting of the ION, Seattle, WA, June 1986.

Lee2, Y.C. and McLaughlin, M. P., “Feasibility Analysis of RAIM to Provide LPV 200 Approaches with Future GPS,” in Proceedings of ION GNSS-2007, Fort Worth, TX, September 2007.

Lee3, Y. C., et al., “GPS and Galileo with RAIM or WAAS for Vertically Guided Approaches,” in Proceedings of the ION GNSS 2005, Long Beach, California, September 13-16, 2005.

McGraw, G.and Young, P., “Dual-Frequency Smoothing DGPS Performance Evaluation Studies,” Proceedings of the ION National Technical Meeting 2005, San Diego, January 2005

Mitelman, A. M., Phelts, R. E., Akos, D. M., Pullen S. P., and Enge, P. K., “Signal Deformations On Nominally Healthy GPS Satellites,” Proceedings of the National Technical Meeting of the ION 2004, San Diego, CA, January 2004.

Oehler, V. et al., ‘The Galileo Integrity Concept and Performance,” in Proceedings of GNSS 2005 – The European Navigation Conference, Munich, Germany, 19-22 July 2005

Phelts1, R.E., (2001) Multicorrelator Techniques for Robust Mitigation of Threats to GPS Signal Quality, Ph.D. Thesis, Stanford University, Stanford, CA

Phelts2, R. E., Walter, T., Enge, P., Akos, D. M., Shallberg, K., and Morrissey, T., “Range biases on the WAAS geostationary satellites,” Proceedings of the ION National Technical Meeting 2004, San Diego, California, January 2004.

Rife, J. et al., “Paired Overbounding and Application to GPS Augmentation”, Proceedings of IEEE PLANS 2004.

RTCA/DO-208, “Minimum Operational Performance Standards for Airborne Supplemental Navigation Equipment Using Global Positioning System (GPS),” RTCA/DO-208, July 1991, prepared by RTCA Special Committee 159

RTCA/DO-229D, “Minimum Operational Performance Standards for Global Positioning System/Wide Area Augmentation System Airborne Equipment,” RTCA Document No. DO-229D, 13 December 2006, prepared by RTCA Special Committee (SC) 159.

119

RTCA DO-235, RTCA DO-235, "Assessment of Radio Frequency Interference Relevant to the GNSS", January, 1997.

RTCA DO-292, RTCA DO-292, ‘Assessment of Radio Frequency Interference Relevant to the GNSS L5/E5A Frequency Band’, July, 2004.

RTCA DO-316, “Minimum Operational Performance Standards for RTCA DO-316 for Global Positioning System/Aircraft Based Augmentation System Airborne Equipment,” DO-316, 14 April 2009, prepared by RTCA Special Committee 159.

SAE-ARP, “Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment,” Society of Automotive Engineers (SAE) Aerospace Recommended Practice (ARP) 4761, December 1996, Warrendale, PA.

Seo, J., et al., “Availability Benefit of Future Dual Frequency GPS Avionics under Strong Ionospheric Scintillation,” Proceedings of the ION GNSS 2008, Savannah, GA, September 2008.

Shallberg, K. and Grabowski, J., “Considerations for Characterizing Antenna Induced Range Errors,” Proceedings of ION GNSS 2002, Portland, OR, September 2002.

Shank, Christopher M., and John Lavrakas, “GPS Integrity: An MCS Perspective,” Proceedings of the 6th International Technical Meeting of the Satellite Division of the Institute of Navigation Conference, ION GPS 1993, 22-24 September 1993, Salt Lake City UT, pp. 465-474.

TSO C-129, “Airborne Supplemental Navigation Equipment Using the Global Positioning System (GPS),” Technical Standard Order (TSO) C-129, 10 December 1992, U.S. Federal Aviation Administration, Washington, D.C.

TSO C-129a “Airborne Supplemental Navigation Equipment Using the Global Positioning System (GPS),” Technical Standard Order (TSO) C-129a, 20 February 1996, U.S. Federal Aviation Administration, Washington, D.C.

TSO-C145c, “Airborne Navigation Sensors Using the Global Positioning System Augmented by the Satellite Based Augmentation System,” TSO-C145c, 2 May 2008, U.S. Federal Aviation Administration, Washington, D.C.

TSO-C146c, “Stand-Alone Airborne Navigation Equipment Using The Global Positioning System Augmented By The Satellite Based Augmentation System,” TSO- C146c, 9 May 2008, U.S. Federal Aviation Administration, Washington, D.C.

TSO C196, “Airborne Supplemental Navigation Sensors for Global Positioning System Equipment Using Aircraft-Based Augmentation,” Technical Standard Order (TSO) C196, effective 21 September 2009, Federal Aviation Administration, Washington, D.C.

120

Van Dyke1, et al., “GPS Integrity Failure Modes and Effects Analysis,” Proceedings of ION NTM, Anaheim, CA, January 2003.

Van Dyke2, et al., “Status Update on GPS Integrity Failure Modes and Effects Analysis,” Proceedings of ION NTM, San Diego, CA, January 2004.

Walter, T., Blanch, J., and Enge, P., “Evaluation of Signal in Space Error Bounds to Support Aviation Integrity,” Proceedings of ION GNSS 2009, Savannah, GA, September 2009.

Walter2, T., Enge, P., Blanch, J., Pervan, B. “Worldwide Vertical Guidance of Aircraft Based on Modernized GPS and New Integrity Augmentations” Proceedings of the IEEE Special Issue on Aviation Information Systems. Vol.96, no. 12, December 2008.

Ward, P. et al. (2006) Interference, Multipath, and Scintillation, Understanding GPS Principles and Applications, 2nd Edition, Elliot Kaplan and C. Hegarty (ed.), Artech House, pp 243-299.

Warren, D. L. M. and Raquet, J. F. “Broadcast vs. precise GPS ephemerides: a historical perspective,” GPS Solutions, vol. 7, no. 3, Dec. 2003.

121